3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980

General

Target

3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980.exe
Size

752KB
MD5

e73b2ac12837dd950785c6a16eed427b
SHA1

a1b5a3c7759ad0c92be70d506f1a1c0dcaf6dd1c
SHA256

3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980
SHA512

73ac809eaf29b620e866c29cadb927d1ad5322419bebe71f3320a6c23e8fc7602d569c9e72a7c1e649ab9a2c3740e38a51b0bdb1ff04677a0708cbf657d9dda1
SSDEEP

12288:4Mrwy90pCElvFdYnZVavA7A+C1lEvbhusggTJFMGamBQZTIAe0SDLf/29v+Dxq1o:oy3ElXYVavNMnTJFlacAe0SP/2JUxE45

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
2352	y3805368.exe
2580	y1593927.exe
2772	y9873805.exe
3944	j7171329.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3805368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3805368.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1593927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1593927.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9873805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y9873805.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3944 set thread context of 4372	3944	j7171329.exe	71

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3516	3944	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4372	AppLaunch.exe
4372	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2352	1840	3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980.exe	66
PID 1840 wrote to memory of 2352	1840	3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980.exe	66
PID 1840 wrote to memory of 2352	1840	3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980.exe	66
PID 2352 wrote to memory of 2580	2352	y3805368.exe	67
PID 2352 wrote to memory of 2580	2352	y3805368.exe	67
PID 2352 wrote to memory of 2580	2352	y3805368.exe	67
PID 2580 wrote to memory of 2772	2580	y1593927.exe	68
PID 2580 wrote to memory of 2772	2580	y1593927.exe	68
PID 2580 wrote to memory of 2772	2580	y1593927.exe	68
PID 2772 wrote to memory of 3944	2772	y9873805.exe	69
PID 2772 wrote to memory of 3944	2772	y9873805.exe	69
PID 2772 wrote to memory of 3944	2772	y9873805.exe	69
PID 3944 wrote to memory of 4372	3944	j7171329.exe	71
PID 3944 wrote to memory of 4372	3944	j7171329.exe	71
PID 3944 wrote to memory of 4372	3944	j7171329.exe	71
PID 3944 wrote to memory of 4372	3944	j7171329.exe	71
PID 3944 wrote to memory of 4372	3944	j7171329.exe	71

C:\Users\Admin\AppData\Local\Temp\3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980.exe
"C:\Users\Admin\AppData\Local\Temp\3deadf92dac86b292edd6e9dd07bcc783e47dd0ee63678fdd6945152c7a32980.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3805368.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3805368.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1593927.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1593927.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9873805.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9873805.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7171329.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7171329.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 204
        6⤵
        Program crash
        
        PID:3516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3805368.exe

Filesize
539KB

MD5
a1e38d5fe071b22821df52a5d3e58f32

SHA1
221dca658cb575a085a9400f2e9f6be451f52d61

SHA256
6fd80587253cca070b538d28ae39847a827e4f1d8fba9b6ebdb38e3480905edb

SHA512
6dcb7943fc5d6b8ab2f24e54f7823162ba8dbe12744162a1fd06b64ea783c3f8fdd7497dcf1062f033089cf818e3f7fe963a42563802b9969934c3f56063694e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3805368.exe

Filesize
539KB

MD5
a1e38d5fe071b22821df52a5d3e58f32

SHA1
221dca658cb575a085a9400f2e9f6be451f52d61

SHA256
6fd80587253cca070b538d28ae39847a827e4f1d8fba9b6ebdb38e3480905edb

SHA512
6dcb7943fc5d6b8ab2f24e54f7823162ba8dbe12744162a1fd06b64ea783c3f8fdd7497dcf1062f033089cf818e3f7fe963a42563802b9969934c3f56063694e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1593927.exe

Filesize
367KB

MD5
5d92d35ca89225dc4e73ced19484cb41

SHA1
263ed48684fc1ece377fc3b077f2497ce3bdc661

SHA256
feaefa16a81abae542087a14ef7cc3c77849fbfb80fcbd93c7f8c019a2ab21e6

SHA512
b23c76fc0c94b6908dbb7620bd376c2f6334baecd134e5363b041e558a5fbdb068b66c838732a0879cadc89b14162a652589b5d03a4b3ce08fa87eaf12e24a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1593927.exe

Filesize
367KB

MD5
5d92d35ca89225dc4e73ced19484cb41

SHA1
263ed48684fc1ece377fc3b077f2497ce3bdc661

SHA256
feaefa16a81abae542087a14ef7cc3c77849fbfb80fcbd93c7f8c019a2ab21e6

SHA512
b23c76fc0c94b6908dbb7620bd376c2f6334baecd134e5363b041e558a5fbdb068b66c838732a0879cadc89b14162a652589b5d03a4b3ce08fa87eaf12e24a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9873805.exe

Filesize
211KB

MD5
4233a14bfda6867781d8fa5fbba51c02

SHA1
6f1ec2592a8eca4a403dddd3da76d6433db3cc4a

SHA256
f5a00aac6ce067d5ce2cefbda789328986fa3c285b4c663a421b0a22cfc219c1

SHA512
9563bc4bebc8f198845af4f279495f845913eeb55ab26784fbc1603f800a3310a50a65764079e0c9e5e9136f6178dec4c042737db3a4ccf9427d95756961717e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9873805.exe

Filesize
211KB

MD5
4233a14bfda6867781d8fa5fbba51c02

SHA1
6f1ec2592a8eca4a403dddd3da76d6433db3cc4a

SHA256
f5a00aac6ce067d5ce2cefbda789328986fa3c285b4c663a421b0a22cfc219c1

SHA512
9563bc4bebc8f198845af4f279495f845913eeb55ab26784fbc1603f800a3310a50a65764079e0c9e5e9136f6178dec4c042737db3a4ccf9427d95756961717e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7171329.exe

Filesize
121KB

MD5
e1d31082b7fdeda6966a02ab03b5f1bd

SHA1
1021bcfe35fae89bfdf69b4982e2d95900f90a2d

SHA256
0f6c5551e1290ede68f1f2338e2e98586bb747cbaeb78b95ca17ba11aee14095

SHA512
552df9c09bedec13a1a55935d76a00ba051c32a90a5dff69df8bd224f92f13727baaf6740a8dee66593889f4b9d4fb27ccfc2229595b85b217c27a94de399e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7171329.exe

Filesize
121KB

MD5
e1d31082b7fdeda6966a02ab03b5f1bd

SHA1
1021bcfe35fae89bfdf69b4982e2d95900f90a2d

SHA256
0f6c5551e1290ede68f1f2338e2e98586bb747cbaeb78b95ca17ba11aee14095

SHA512
552df9c09bedec13a1a55935d76a00ba051c32a90a5dff69df8bd224f92f13727baaf6740a8dee66593889f4b9d4fb27ccfc2229595b85b217c27a94de399e15

Download Submit
memory/4372-149-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads