3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163 | Triage

Resubmissions

29/10/2024, 12:13 UTC

241029-pdwd9avgkq 10

07/05/2023, 01:09 UTC

230507-bhsx2afe99 10

Analysis

max time kernel
181s
max time network
189s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/05/2023, 01:09 UTC

Sharing

Report Analysis Logs

General

Target

3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe
Size

702KB
MD5

38917df14930c01c2cd9bc5724c1a21a
SHA1

b308686e0427e2b19c2de8a9e1700396af3f1455
SHA256

3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163
SHA512

c4f29ef38a836553267744033d2a98358e7dacc0353aaf677c7e47eeb0eec2cd0b2d3c91c9edb9482c5ffcd686f6bd260c502129076cf2dd21d796cbbcc04b50
SSDEEP

12288:Zy90NwK/g2JW8gleN9r3BQk0j8cbXUGF18iWfEG2Qo9w+6ECdXIMttG6:Zy3uJW1eBN46cGiwdXiMttG6

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Modify Existing Service

Disabling Security Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	76005328.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	76005328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	76005328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	76005328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	76005328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	76005328.exe

Executes dropped EXE 3 IoCs

pid	Process
936	un841435.exe
876	76005328.exe
828	rk014550.exe

Loads dropped DLL 8 IoCs

pid	Process
1212	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe
936	un841435.exe
936	un841435.exe
936	un841435.exe
876	76005328.exe
936	un841435.exe
936	un841435.exe
828	rk014550.exe

Windows security modification 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	76005328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	76005328.exe

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un841435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un841435.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
876	76005328.exe
876	76005328.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	76005328.exe
Token: SeDebugPrivilege	828	rk014550.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 936	1212	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe	28
PID 1212 wrote to memory of 936	1212	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe	28
PID 1212 wrote to memory of 936	1212	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe	28
PID 1212 wrote to memory of 936	1212	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe	28
PID 1212 wrote to memory of 936	1212	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe	28
PID 1212 wrote to memory of 936	1212	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe	28
PID 1212 wrote to memory of 936	1212	3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe	28
PID 936 wrote to memory of 876	936	un841435.exe	29
PID 936 wrote to memory of 876	936	un841435.exe	29
PID 936 wrote to memory of 876	936	un841435.exe	29
PID 936 wrote to memory of 876	936	un841435.exe	29
PID 936 wrote to memory of 876	936	un841435.exe	29
PID 936 wrote to memory of 876	936	un841435.exe	29
PID 936 wrote to memory of 876	936	un841435.exe	29
PID 936 wrote to memory of 828	936	un841435.exe	30
PID 936 wrote to memory of 828	936	un841435.exe	30
PID 936 wrote to memory of 828	936	un841435.exe	30
PID 936 wrote to memory of 828	936	un841435.exe	30
PID 936 wrote to memory of 828	936	un841435.exe	30
PID 936 wrote to memory of 828	936	un841435.exe	30
PID 936 wrote to memory of 828	936	un841435.exe	30

C:\Users\Admin\AppData\Local\Temp\3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe
"C:\Users\Admin\AppData\Local\Temp\3a233b98bc1a4f358b848e143e0b5cb8e310eba5e35b453adbbd17106552d163.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un841435.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un841435.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76005328.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76005328.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk014550.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk014550.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:828

Network

No results found

185.161.248.143:38452

rk014550.exe

152 B
3
185.161.248.143:38452

rk014550.exe

152 B
3
185.161.248.143:38452

rk014550.exe

152 B
3
185.161.248.143:38452

rk014550.exe

152 B
3
185.161.248.143:38452

rk014550.exe

104 B
2

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un841435.exe

Filesize
547KB

MD5
2450255b8191721837a6242262fd2f39

SHA1
7b6a4255fcf9fac15eb8fa8685e07817dcc9e2da

SHA256
521f51bf4ad8741fd7410a418070be7395a0c5a46be53ffca3626cd774f693ea

SHA512
48206ea5c0a43b1891448f09d81a35c86147f8b25bcdd7bea830f2d4dd509b15b22e90ec6925b45e6a64a3d5a3c411e7493b05965b5d1e9def1ac1af15542eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un841435.exe

Filesize
547KB

MD5
2450255b8191721837a6242262fd2f39

SHA1
7b6a4255fcf9fac15eb8fa8685e07817dcc9e2da

SHA256
521f51bf4ad8741fd7410a418070be7395a0c5a46be53ffca3626cd774f693ea

SHA512
48206ea5c0a43b1891448f09d81a35c86147f8b25bcdd7bea830f2d4dd509b15b22e90ec6925b45e6a64a3d5a3c411e7493b05965b5d1e9def1ac1af15542eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76005328.exe

Filesize
269KB

MD5
135c0735e10a620dab24ffc5116993cc

SHA1
03d59cd605d03a2c10e5d4e7db9c719aed2607f5

SHA256
5beebf1dd8b6d467dbcb884298b5661ed01df77753e4adb3bc17f2475448e086

SHA512
65f1fc16c4dc134a185129bc5e124ffc5930db41e7d22ff0b30a4da76f1bd55eff5845fc379c8c4d888abeecc7be7df829a9adddc033a000fca5b031189a59be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76005328.exe

Filesize
269KB

MD5
135c0735e10a620dab24ffc5116993cc

SHA1
03d59cd605d03a2c10e5d4e7db9c719aed2607f5

SHA256
5beebf1dd8b6d467dbcb884298b5661ed01df77753e4adb3bc17f2475448e086

SHA512
65f1fc16c4dc134a185129bc5e124ffc5930db41e7d22ff0b30a4da76f1bd55eff5845fc379c8c4d888abeecc7be7df829a9adddc033a000fca5b031189a59be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76005328.exe

Filesize
269KB

MD5
135c0735e10a620dab24ffc5116993cc

SHA1
03d59cd605d03a2c10e5d4e7db9c719aed2607f5

SHA256
5beebf1dd8b6d467dbcb884298b5661ed01df77753e4adb3bc17f2475448e086

SHA512
65f1fc16c4dc134a185129bc5e124ffc5930db41e7d22ff0b30a4da76f1bd55eff5845fc379c8c4d888abeecc7be7df829a9adddc033a000fca5b031189a59be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk014550.exe

Filesize
353KB

MD5
b6b4fb6b7513d8b5f55ccaf0eb52b0e4

SHA1
b248f8101757decba2b101c78c7a1e6023435627

SHA256
84e70f3561007f8f11b1673347924908798e2f931774bf2743b28f31793d17dd

SHA512
e147916699eaca4afe90d833bfd08cbca102d52ce253a12c356bdf038cb97f7abd5f926b9960d56e2159321e73ebe02d570d146e811f794e288ef9bcaef59db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk014550.exe

Filesize
353KB

MD5
b6b4fb6b7513d8b5f55ccaf0eb52b0e4

SHA1
b248f8101757decba2b101c78c7a1e6023435627

SHA256
84e70f3561007f8f11b1673347924908798e2f931774bf2743b28f31793d17dd

SHA512
e147916699eaca4afe90d833bfd08cbca102d52ce253a12c356bdf038cb97f7abd5f926b9960d56e2159321e73ebe02d570d146e811f794e288ef9bcaef59db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk014550.exe

Filesize
353KB

MD5
b6b4fb6b7513d8b5f55ccaf0eb52b0e4

SHA1
b248f8101757decba2b101c78c7a1e6023435627

SHA256
84e70f3561007f8f11b1673347924908798e2f931774bf2743b28f31793d17dd

SHA512
e147916699eaca4afe90d833bfd08cbca102d52ce253a12c356bdf038cb97f7abd5f926b9960d56e2159321e73ebe02d570d146e811f794e288ef9bcaef59db7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un841435.exe

Filesize
547KB

MD5
2450255b8191721837a6242262fd2f39

SHA1
7b6a4255fcf9fac15eb8fa8685e07817dcc9e2da

SHA256
521f51bf4ad8741fd7410a418070be7395a0c5a46be53ffca3626cd774f693ea

SHA512
48206ea5c0a43b1891448f09d81a35c86147f8b25bcdd7bea830f2d4dd509b15b22e90ec6925b45e6a64a3d5a3c411e7493b05965b5d1e9def1ac1af15542eae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un841435.exe

Filesize
547KB

MD5
2450255b8191721837a6242262fd2f39

SHA1
7b6a4255fcf9fac15eb8fa8685e07817dcc9e2da

SHA256
521f51bf4ad8741fd7410a418070be7395a0c5a46be53ffca3626cd774f693ea

SHA512
48206ea5c0a43b1891448f09d81a35c86147f8b25bcdd7bea830f2d4dd509b15b22e90ec6925b45e6a64a3d5a3c411e7493b05965b5d1e9def1ac1af15542eae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\76005328.exe

Filesize
269KB

MD5
135c0735e10a620dab24ffc5116993cc

SHA1
03d59cd605d03a2c10e5d4e7db9c719aed2607f5

SHA256
5beebf1dd8b6d467dbcb884298b5661ed01df77753e4adb3bc17f2475448e086

SHA512
65f1fc16c4dc134a185129bc5e124ffc5930db41e7d22ff0b30a4da76f1bd55eff5845fc379c8c4d888abeecc7be7df829a9adddc033a000fca5b031189a59be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\76005328.exe

Filesize
269KB

MD5
135c0735e10a620dab24ffc5116993cc

SHA1
03d59cd605d03a2c10e5d4e7db9c719aed2607f5

SHA256
5beebf1dd8b6d467dbcb884298b5661ed01df77753e4adb3bc17f2475448e086

SHA512
65f1fc16c4dc134a185129bc5e124ffc5930db41e7d22ff0b30a4da76f1bd55eff5845fc379c8c4d888abeecc7be7df829a9adddc033a000fca5b031189a59be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\76005328.exe

Filesize
269KB

MD5
135c0735e10a620dab24ffc5116993cc

SHA1
03d59cd605d03a2c10e5d4e7db9c719aed2607f5

SHA256
5beebf1dd8b6d467dbcb884298b5661ed01df77753e4adb3bc17f2475448e086

SHA512
65f1fc16c4dc134a185129bc5e124ffc5930db41e7d22ff0b30a4da76f1bd55eff5845fc379c8c4d888abeecc7be7df829a9adddc033a000fca5b031189a59be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk014550.exe

Filesize
353KB

MD5
b6b4fb6b7513d8b5f55ccaf0eb52b0e4

SHA1
b248f8101757decba2b101c78c7a1e6023435627

SHA256
84e70f3561007f8f11b1673347924908798e2f931774bf2743b28f31793d17dd

SHA512
e147916699eaca4afe90d833bfd08cbca102d52ce253a12c356bdf038cb97f7abd5f926b9960d56e2159321e73ebe02d570d146e811f794e288ef9bcaef59db7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk014550.exe

Filesize
353KB

MD5
b6b4fb6b7513d8b5f55ccaf0eb52b0e4

SHA1
b248f8101757decba2b101c78c7a1e6023435627

SHA256
84e70f3561007f8f11b1673347924908798e2f931774bf2743b28f31793d17dd

SHA512
e147916699eaca4afe90d833bfd08cbca102d52ce253a12c356bdf038cb97f7abd5f926b9960d56e2159321e73ebe02d570d146e811f794e288ef9bcaef59db7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk014550.exe

Filesize
353KB

MD5
b6b4fb6b7513d8b5f55ccaf0eb52b0e4

SHA1
b248f8101757decba2b101c78c7a1e6023435627

SHA256
84e70f3561007f8f11b1673347924908798e2f931774bf2743b28f31793d17dd

SHA512
e147916699eaca4afe90d833bfd08cbca102d52ce253a12c356bdf038cb97f7abd5f926b9960d56e2159321e73ebe02d570d146e811f794e288ef9bcaef59db7

Download Submit
memory/828-152-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-134-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-156-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-154-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-128-0x0000000004B20000-0x0000000004B5A000-memory.dmp

Filesize
232KB

Download
memory/828-150-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-148-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-146-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-144-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-142-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-140-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-138-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-136-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-158-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-132-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-130-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-129-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-160-0x0000000004B20000-0x0000000004B55000-memory.dmp

Filesize
212KB

Download
memory/828-183-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/828-185-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/828-924-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/828-925-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/828-927-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/828-127-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

Filesize
240KB

Download
memory/828-126-0x0000000000370000-0x00000000003B6000-memory.dmp

Filesize
280KB

Download
memory/876-84-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-115-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/876-112-0x0000000007340000-0x0000000007380000-memory.dmp

Filesize
256KB

Download
memory/876-111-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/876-110-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-106-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-108-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-102-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-104-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-98-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-100-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-94-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-96-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-90-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-92-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-88-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-86-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-83-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/876-82-0x0000000007340000-0x0000000007380000-memory.dmp

Filesize
256KB

Download
memory/876-79-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/876-80-0x0000000002C50000-0x0000000002C68000-memory.dmp

Filesize
96KB

Download
memory/876-81-0x0000000007340000-0x0000000007380000-memory.dmp

Filesize
256KB

Download
memory/876-78-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download