9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66

Resubmissions

29-10-2024 14:06

241029-regnlawcqp 10

29-10-2024 12:53

241029-p4zvcsvhqp 10

07-05-2023 04:57

230507-fldpqshh67 10

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
Size

746KB
MD5

7c3dda2c9904ba420260b3489e2ef165
SHA1

c5ce5096c8d8175ff522ee68d1a68b8cea926c2d
SHA256

9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66
SHA512

2f10af6e5d497478f47813322d039012467c43d4bba12fe30b5a42a472379c9daa62529c73657d77886c5b8fcaab9cae959e5264124cec750091b0d9a237febd
SSDEEP

12288:Sy90N8arEZ38DLXqXNNsbiuQ4sbrXfUcXfSqXtXVtCX3b73xzR:Sy48arEJYLa9eenX8cXfVSb7/

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	55874308.exe

Executes dropped EXE 3 IoCs

pid	Process
916	un721028.exe
1504	55874308.exe
1824	rk367654.exe

Loads dropped DLL 8 IoCs

pid	Process
1124	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
916	un721028.exe
916	un721028.exe
916	un721028.exe
1504	55874308.exe
916	un721028.exe
916	un721028.exe
1824	rk367654.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	55874308.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un721028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un721028.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1504	55874308.exe
1504	55874308.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	55874308.exe
Token: SeDebugPrivilege	1824	rk367654.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 916	1124	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	28
PID 1124 wrote to memory of 916	1124	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	28
PID 1124 wrote to memory of 916	1124	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	28
PID 1124 wrote to memory of 916	1124	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	28
PID 1124 wrote to memory of 916	1124	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	28
PID 1124 wrote to memory of 916	1124	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	28
PID 1124 wrote to memory of 916	1124	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	28
PID 916 wrote to memory of 1504	916	un721028.exe	29
PID 916 wrote to memory of 1504	916	un721028.exe	29
PID 916 wrote to memory of 1504	916	un721028.exe	29
PID 916 wrote to memory of 1504	916	un721028.exe	29
PID 916 wrote to memory of 1504	916	un721028.exe	29
PID 916 wrote to memory of 1504	916	un721028.exe	29
PID 916 wrote to memory of 1504	916	un721028.exe	29
PID 916 wrote to memory of 1824	916	un721028.exe	30
PID 916 wrote to memory of 1824	916	un721028.exe	30
PID 916 wrote to memory of 1824	916	un721028.exe	30
PID 916 wrote to memory of 1824	916	un721028.exe	30
PID 916 wrote to memory of 1824	916	un721028.exe	30
PID 916 wrote to memory of 1824	916	un721028.exe	30
PID 916 wrote to memory of 1824	916	un721028.exe	30

C:\Users\Admin\AppData\Local\Temp\9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
"C:\Users\Admin\AppData\Local\Temp\9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe

Filesize
591KB

MD5
f39e96db71b850be0e8113dff1c58e96

SHA1
23a5a923212d5dba4e79a32d29a53e981ab15b21

SHA256
512a02378458eb8745bf6bdbc1eee575b557651072d935c96746f01c3eb30f7f

SHA512
2be9713d582dd079188c08ca9ec60c596e55f70ede81893d0a30add859687aae7e522fde85ea005c24eab6bc8587a31b57fd1b5a7fc8303a904406b8f15ea31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe

Filesize
591KB

MD5
f39e96db71b850be0e8113dff1c58e96

SHA1
23a5a923212d5dba4e79a32d29a53e981ab15b21

SHA256
512a02378458eb8745bf6bdbc1eee575b557651072d935c96746f01c3eb30f7f

SHA512
2be9713d582dd079188c08ca9ec60c596e55f70ede81893d0a30add859687aae7e522fde85ea005c24eab6bc8587a31b57fd1b5a7fc8303a904406b8f15ea31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe

Filesize
376KB

MD5
bfe8737b256d0abd4bd9b86dd51cf2d2

SHA1
91906151c3d615497a2685a1c2dfb8398a7524cb

SHA256
3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

SHA512
b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe

Filesize
376KB

MD5
bfe8737b256d0abd4bd9b86dd51cf2d2

SHA1
91906151c3d615497a2685a1c2dfb8398a7524cb

SHA256
3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

SHA512
b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe

Filesize
376KB

MD5
bfe8737b256d0abd4bd9b86dd51cf2d2

SHA1
91906151c3d615497a2685a1c2dfb8398a7524cb

SHA256
3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

SHA512
b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe

Filesize
459KB

MD5
d041b732253fef6c275a1f5c490447ed

SHA1
15caa238a29b75ea279ef08684558f89145741cf

SHA256
f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

SHA512
c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe

Filesize
459KB

MD5
d041b732253fef6c275a1f5c490447ed

SHA1
15caa238a29b75ea279ef08684558f89145741cf

SHA256
f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

SHA512
c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe

Filesize
459KB

MD5
d041b732253fef6c275a1f5c490447ed

SHA1
15caa238a29b75ea279ef08684558f89145741cf

SHA256
f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

SHA512
c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe

Filesize
591KB

MD5
f39e96db71b850be0e8113dff1c58e96

SHA1
23a5a923212d5dba4e79a32d29a53e981ab15b21

SHA256
512a02378458eb8745bf6bdbc1eee575b557651072d935c96746f01c3eb30f7f

SHA512
2be9713d582dd079188c08ca9ec60c596e55f70ede81893d0a30add859687aae7e522fde85ea005c24eab6bc8587a31b57fd1b5a7fc8303a904406b8f15ea31f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe

Filesize
591KB

MD5
f39e96db71b850be0e8113dff1c58e96

SHA1
23a5a923212d5dba4e79a32d29a53e981ab15b21

SHA256
512a02378458eb8745bf6bdbc1eee575b557651072d935c96746f01c3eb30f7f

SHA512
2be9713d582dd079188c08ca9ec60c596e55f70ede81893d0a30add859687aae7e522fde85ea005c24eab6bc8587a31b57fd1b5a7fc8303a904406b8f15ea31f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe

Filesize
376KB

MD5
bfe8737b256d0abd4bd9b86dd51cf2d2

SHA1
91906151c3d615497a2685a1c2dfb8398a7524cb

SHA256
3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

SHA512
b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe

Filesize
376KB

MD5
bfe8737b256d0abd4bd9b86dd51cf2d2

SHA1
91906151c3d615497a2685a1c2dfb8398a7524cb

SHA256
3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

SHA512
b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe

Filesize
376KB

MD5
bfe8737b256d0abd4bd9b86dd51cf2d2

SHA1
91906151c3d615497a2685a1c2dfb8398a7524cb

SHA256
3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

SHA512
b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe

Filesize
459KB

MD5
d041b732253fef6c275a1f5c490447ed

SHA1
15caa238a29b75ea279ef08684558f89145741cf

SHA256
f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

SHA512
c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe

Filesize
459KB

MD5
d041b732253fef6c275a1f5c490447ed

SHA1
15caa238a29b75ea279ef08684558f89145741cf

SHA256
f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

SHA512
c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe

Filesize
459KB

MD5
d041b732253fef6c275a1f5c490447ed

SHA1
15caa238a29b75ea279ef08684558f89145741cf

SHA256
f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

SHA512
c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

Download Submit
memory/1504-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1504-104-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-102-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-100-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-110-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-108-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-106-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-98-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-96-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-94-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-92-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-90-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-84-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-83-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-86-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-114-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1504-88-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1504-81-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1504-82-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1504-80-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/1504-79-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/1504-78-0x00000000002E0000-0x000000000030D000-memory.dmp

Filesize
180KB

Download
memory/1824-126-0x0000000004DC0000-0x0000000004DFA000-memory.dmp

Filesize
232KB

Download
memory/1824-144-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-127-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-128-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-130-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-132-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-134-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-136-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-138-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-140-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-142-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-125-0x0000000002770000-0x00000000027AC000-memory.dmp

Filesize
240KB

Download
memory/1824-146-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-148-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-150-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-152-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-154-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-156-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-158-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/1824-563-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/1824-565-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1824-921-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1824-923-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1824-925-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download