c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7

Analysis

max time kernel
128s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2023, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7.exe
Size

1.5MB
MD5

639bcb83388be896085ebc67368e8e44
SHA1

8c6d6f3e59e5eebc016a38d95ca19e35bd1136fc
SHA256

c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7
SHA512

314a2d716e1c0bbe55db7176fb817efe8442e73ce79b9444e64cbfe6a1f704f376c4c63144bf6d8eb6356b10a0a905e2001bcd25982c56d8f0c2801174c84002
SSDEEP

49152:mKIaAbEozX76QuB6jMVfH1iDCb000DmrQISty8U:DAbEoL76QuwyfH1iHqr5Stz

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1NY83Oa6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1NY83Oa6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1NY83Oa6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1NY83Oa6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1NY83Oa6.exe

Executes dropped EXE 5 IoCs

pid	Process
1912	rE6IQ71.exe
4984	UD2St70.exe
2160	hl3se89.exe
1312	1NY83Oa6.exe
2788	2uq5526.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1NY83Oa6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1NY83Oa6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rE6IQ71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	UD2St70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hl3se89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 1344	2788	2uq5526.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4760	2788	WerFault.exe	74
1456	1344	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1312	1NY83Oa6.exe
1312	1NY83Oa6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	1NY83Oa6.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 1912	4372	c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7.exe	70
PID 4372 wrote to memory of 1912	4372	c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7.exe	70
PID 4372 wrote to memory of 1912	4372	c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7.exe	70
PID 1912 wrote to memory of 4984	1912	rE6IQ71.exe	71
PID 1912 wrote to memory of 4984	1912	rE6IQ71.exe	71
PID 1912 wrote to memory of 4984	1912	rE6IQ71.exe	71
PID 4984 wrote to memory of 2160	4984	UD2St70.exe	72
PID 4984 wrote to memory of 2160	4984	UD2St70.exe	72
PID 4984 wrote to memory of 2160	4984	UD2St70.exe	72
PID 2160 wrote to memory of 1312	2160	hl3se89.exe	73
PID 2160 wrote to memory of 1312	2160	hl3se89.exe	73
PID 2160 wrote to memory of 1312	2160	hl3se89.exe	73
PID 2160 wrote to memory of 2788	2160	hl3se89.exe	74
PID 2160 wrote to memory of 2788	2160	hl3se89.exe	74
PID 2160 wrote to memory of 2788	2160	hl3se89.exe	74
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76
PID 2788 wrote to memory of 1344	2788	2uq5526.exe	76

C:\Users\Admin\AppData\Local\Temp\c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7.exe
"C:\Users\Admin\AppData\Local\Temp\c31a16accf69fb0966988e1b1e5e690464ec444c13a83dbd82efebec4a37a3c7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE6IQ71.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE6IQ71.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UD2St70.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UD2St70.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl3se89.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl3se89.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NY83Oa6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NY83Oa6.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2uq5526.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2uq5526.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 568
        7⤵
        Program crash
        
        PID:1456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 144
        6⤵
        Program crash
        
        PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE6IQ71.exe

Filesize
1.4MB

MD5
dd70446b7355148bebb91c1442cb5ad1

SHA1
975bb7b55b0165961de71e9284335fd592c55057

SHA256
79338ee0e0ace8376c522eac470a525575a933b7971225a46fc5b970f4603a19

SHA512
21d110462429f7d494a67d91aa80aa7dc0266bab0770fa3b844860d30243371d3a0ee2df2e31e4679c6472fdf86e3625cc8ddd735eb99be82a63e779f1992c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE6IQ71.exe

Filesize
1.4MB

MD5
dd70446b7355148bebb91c1442cb5ad1

SHA1
975bb7b55b0165961de71e9284335fd592c55057

SHA256
79338ee0e0ace8376c522eac470a525575a933b7971225a46fc5b970f4603a19

SHA512
21d110462429f7d494a67d91aa80aa7dc0266bab0770fa3b844860d30243371d3a0ee2df2e31e4679c6472fdf86e3625cc8ddd735eb99be82a63e779f1992c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UD2St70.exe

Filesize
985KB

MD5
4d26e9b11a0a82cf4f923a3099a00985

SHA1
aa5a6d3ea24bb3f8342d3b284566ca626fae0f7a

SHA256
92c1257cd1f4cd23e6093e00d89b789ad6a12eddfd10f2c8748cb3589807cda6

SHA512
76a43927b911e52c8ea306902993ab0c2307ab1c2b5aee41599c52dc1dcd0e6b729c1161f0f27f0da9cfb40f124f4d11b66f4af20dec4e2fb740466186fadd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UD2St70.exe

Filesize
985KB

MD5
4d26e9b11a0a82cf4f923a3099a00985

SHA1
aa5a6d3ea24bb3f8342d3b284566ca626fae0f7a

SHA256
92c1257cd1f4cd23e6093e00d89b789ad6a12eddfd10f2c8748cb3589807cda6

SHA512
76a43927b911e52c8ea306902993ab0c2307ab1c2b5aee41599c52dc1dcd0e6b729c1161f0f27f0da9cfb40f124f4d11b66f4af20dec4e2fb740466186fadd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl3se89.exe

Filesize
598KB

MD5
2255f5e6c4a5f19a4185beca82881f8e

SHA1
dbe31f2a58e276fc46fb3d464447450b1ef544b9

SHA256
a35ff0c097fe5a461c6b957f62ca67ee49337ec0551bf4ea6fbbb99bbcb0f62e

SHA512
bdd1e43cf705da3659d00a2408e7d86efafb294d3a8a6f5c04c64b7f81496532228b521188e2d59368ceec6d73d934d08d7321d75ab5f13fbf578738ae54ddb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl3se89.exe

Filesize
598KB

MD5
2255f5e6c4a5f19a4185beca82881f8e

SHA1
dbe31f2a58e276fc46fb3d464447450b1ef544b9

SHA256
a35ff0c097fe5a461c6b957f62ca67ee49337ec0551bf4ea6fbbb99bbcb0f62e

SHA512
bdd1e43cf705da3659d00a2408e7d86efafb294d3a8a6f5c04c64b7f81496532228b521188e2d59368ceec6d73d934d08d7321d75ab5f13fbf578738ae54ddb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NY83Oa6.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1NY83Oa6.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2uq5526.exe

Filesize
1.4MB

MD5
b1923cc4b463d96d9dc85556159f87b0

SHA1
e1890c078ff486deca30885cb82f5c045f7fbd69

SHA256
e336b9765b0b4dced3e1ea2a011a62f0d9a45800503bace54fcc5cbbcb2e6bca

SHA512
c2633f8b8074e145ff0042b45e2c16ef440bcbc31d0cee3d146fffa9ed2e7e4f0d2cab847b3fdb985553a23ae2a479db804a497d88fce8a8a726567317b7efcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2uq5526.exe

Filesize
1.4MB

MD5
b1923cc4b463d96d9dc85556159f87b0

SHA1
e1890c078ff486deca30885cb82f5c045f7fbd69

SHA256
e336b9765b0b4dced3e1ea2a011a62f0d9a45800503bace54fcc5cbbcb2e6bca

SHA512
c2633f8b8074e145ff0042b45e2c16ef440bcbc31d0cee3d146fffa9ed2e7e4f0d2cab847b3fdb985553a23ae2a479db804a497d88fce8a8a726567317b7efcc

Download Submit
memory/1312-39-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-53-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-32-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-33-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-35-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-37-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-30-0x0000000004C50000-0x000000000514E000-memory.dmp

Filesize
5.0MB

Download
memory/1312-41-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-43-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-45-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-47-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-49-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-51-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-31-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/1312-55-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-57-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-59-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1312-60-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/1312-62-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/1312-28-0x0000000002210000-0x000000000222E000-memory.dmp

Filesize
120KB

Download
memory/1312-29-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/1344-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1344-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1344-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1344-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download