48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934

General

Target

48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934.exe
Size

772KB
MD5

3a6a71a3869f0ffb5e7bdaefa3bbb9b4
SHA1

7bdfcab40d428510d433471afb70822b0e8baf4a
SHA256

48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934
SHA512

5da3f0279e7204c3da36ce05d0bbdbd5faac2e67bdc0d8545d2ad91e868b1df3010fe88b417ff9e874408c45a0755a6ee57e13784c7896cc8ac3e533885e57b8
SSDEEP

12288:+Mray902uvxxFitQxz93zVhhpGHHGCaMTvPm5OAKoG/Qbvef/TrKwiK6f53ABOY:QyOxF4Y9BpMHraMTvLIbmfrjof53UOY

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
4116	y0842711.exe
4112	y0152616.exe
2264	y1243304.exe
2368	j4801140.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0152616.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1243304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y1243304.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0842711.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0842711.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0152616.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 3852	2368	j4801140.exe	71

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	2368	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3852	AppLaunch.exe
3852	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 4116	352	48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934.exe	66
PID 352 wrote to memory of 4116	352	48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934.exe	66
PID 352 wrote to memory of 4116	352	48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934.exe	66
PID 4116 wrote to memory of 4112	4116	y0842711.exe	67
PID 4116 wrote to memory of 4112	4116	y0842711.exe	67
PID 4116 wrote to memory of 4112	4116	y0842711.exe	67
PID 4112 wrote to memory of 2264	4112	y0152616.exe	68
PID 4112 wrote to memory of 2264	4112	y0152616.exe	68
PID 4112 wrote to memory of 2264	4112	y0152616.exe	68
PID 2264 wrote to memory of 2368	2264	y1243304.exe	69
PID 2264 wrote to memory of 2368	2264	y1243304.exe	69
PID 2264 wrote to memory of 2368	2264	y1243304.exe	69
PID 2368 wrote to memory of 3852	2368	j4801140.exe	71
PID 2368 wrote to memory of 3852	2368	j4801140.exe	71
PID 2368 wrote to memory of 3852	2368	j4801140.exe	71
PID 2368 wrote to memory of 3852	2368	j4801140.exe	71
PID 2368 wrote to memory of 3852	2368	j4801140.exe	71

C:\Users\Admin\AppData\Local\Temp\48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934.exe
"C:\Users\Admin\AppData\Local\Temp\48465968ae795099be4d484fb4fbb9d82f2cbd32d36164cd8f1dfb0862a03934.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0842711.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0842711.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0152616.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0152616.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1243304.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1243304.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4801140.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4801140.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 144
        6⤵
        Program crash
        
        PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0842711.exe

Filesize
548KB

MD5
19807350b2614dffd8673177f0126a65

SHA1
80e14667c6067e1c89334b7d4badb246df43d997

SHA256
4a332d30c31cf2907331e208e7dc684fdc1ad7c17124fc3fe62e5ff5d280d037

SHA512
f86eba4165969272f822ffe271fcc69e83c0ae8f5a50a9856be60be6e98c9be4a5752ffe9ed394a8ee82e10ce881beaea728a20f0f549bf354050b5c17671ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0842711.exe

Filesize
548KB

MD5
19807350b2614dffd8673177f0126a65

SHA1
80e14667c6067e1c89334b7d4badb246df43d997

SHA256
4a332d30c31cf2907331e208e7dc684fdc1ad7c17124fc3fe62e5ff5d280d037

SHA512
f86eba4165969272f822ffe271fcc69e83c0ae8f5a50a9856be60be6e98c9be4a5752ffe9ed394a8ee82e10ce881beaea728a20f0f549bf354050b5c17671ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0152616.exe

Filesize
376KB

MD5
389ca9d8755ec9dd1ff3db35387a069a

SHA1
15038d8fdd5658d66f2992e4a91711cb0139216a

SHA256
060e732f14b3485374c414c8b1ee8777c520210d903d36ff322346699df79b51

SHA512
0b5698783075c245f922c1a64f59c3adcc15dbb84f5b1ad0dc815fd31e68f810031178820c1fd305a12e9f6f10d1113825bab624fc1db782c0f432774aea9c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0152616.exe

Filesize
376KB

MD5
389ca9d8755ec9dd1ff3db35387a069a

SHA1
15038d8fdd5658d66f2992e4a91711cb0139216a

SHA256
060e732f14b3485374c414c8b1ee8777c520210d903d36ff322346699df79b51

SHA512
0b5698783075c245f922c1a64f59c3adcc15dbb84f5b1ad0dc815fd31e68f810031178820c1fd305a12e9f6f10d1113825bab624fc1db782c0f432774aea9c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1243304.exe

Filesize
221KB

MD5
efb4cab9813cf1b996ae1739ee22e7e0

SHA1
0b84d51d16e5bbc18b7296393309dc5230ea255f

SHA256
1e46f7a7a09ba8508c6bb5fbbf86dfc2e31783062e3584fa989eced20c787d4c

SHA512
2dd0b3492950a6ee7a47583c97960e6627072e3813149c7626371de0142a39666569204c8d2aa74c5c8a1df313f6a4fefe45e3a67de562c5268e2075505b27b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1243304.exe

Filesize
221KB

MD5
efb4cab9813cf1b996ae1739ee22e7e0

SHA1
0b84d51d16e5bbc18b7296393309dc5230ea255f

SHA256
1e46f7a7a09ba8508c6bb5fbbf86dfc2e31783062e3584fa989eced20c787d4c

SHA512
2dd0b3492950a6ee7a47583c97960e6627072e3813149c7626371de0142a39666569204c8d2aa74c5c8a1df313f6a4fefe45e3a67de562c5268e2075505b27b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4801140.exe

Filesize
148KB

MD5
fb6cbe641b9ed6b115429ad209080256

SHA1
b2655184d033147c3b795925ef9de9882a092aad

SHA256
e221917bbffa009d81f25c6058f577a9804aaf3ca65199e128acccda9451fcff

SHA512
9a4fc8cfc09111144d1c434b6384a1f7b8fa9e8f40817bb199c4826ce667f0280a200448556f5599a5a5cbe2a9b9b3d6719293fc923be37e6b9af1402fcfab66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4801140.exe

Filesize
148KB

MD5
fb6cbe641b9ed6b115429ad209080256

SHA1
b2655184d033147c3b795925ef9de9882a092aad

SHA256
e221917bbffa009d81f25c6058f577a9804aaf3ca65199e128acccda9451fcff

SHA512
9a4fc8cfc09111144d1c434b6384a1f7b8fa9e8f40817bb199c4826ce667f0280a200448556f5599a5a5cbe2a9b9b3d6719293fc923be37e6b9af1402fcfab66

Download Submit
memory/3852-145-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads