169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69

Analysis

max time kernel
126s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2023, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69.exe
Size

1.5MB
MD5

a6b4223d442998546a784b14c1496fbc
SHA1

22eac5869411fe4bf69229fe7401f9078caad324
SHA256

169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69
SHA512

22db81b467c76032187b43209ae87f89f51ea2a84d6a400c994e3033fbe099056816ef690eb28b6dc0c79d977f04b66c575a1611c2956879fee04668551b6c41
SSDEEP

24576:/y2k9t2+VeKytMpgogYTdfbtbVjxIGIN6d9fvH9cjfzQ07P/hwTR2tVU44a:K++VTSogYRzW9Nq3HobQ03hOR7

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1yB44PK8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1yB44PK8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1yB44PK8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1yB44PK8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1yB44PK8.exe

Executes dropped EXE 5 IoCs

pid	Process
196	PJ4cc07.exe
5008	ea3BD76.exe
308	Tb3YQ26.exe
4664	1yB44PK8.exe
5116	2hz4903.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1yB44PK8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1yB44PK8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	PJ4cc07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ea3BD76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Tb3YQ26.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 4960	5116	2hz4903.exe	79

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5024	5116	WerFault.exe	75
2632	4960	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4664	1yB44PK8.exe
4664	1yB44PK8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	1yB44PK8.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 196	4668	169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69.exe	71
PID 4668 wrote to memory of 196	4668	169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69.exe	71
PID 4668 wrote to memory of 196	4668	169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69.exe	71
PID 196 wrote to memory of 5008	196	PJ4cc07.exe	72
PID 196 wrote to memory of 5008	196	PJ4cc07.exe	72
PID 196 wrote to memory of 5008	196	PJ4cc07.exe	72
PID 5008 wrote to memory of 308	5008	ea3BD76.exe	73
PID 5008 wrote to memory of 308	5008	ea3BD76.exe	73
PID 5008 wrote to memory of 308	5008	ea3BD76.exe	73
PID 308 wrote to memory of 4664	308	Tb3YQ26.exe	74
PID 308 wrote to memory of 4664	308	Tb3YQ26.exe	74
PID 308 wrote to memory of 4664	308	Tb3YQ26.exe	74
PID 308 wrote to memory of 5116	308	Tb3YQ26.exe	75
PID 308 wrote to memory of 5116	308	Tb3YQ26.exe	75
PID 308 wrote to memory of 5116	308	Tb3YQ26.exe	75
PID 5116 wrote to memory of 3168	5116	2hz4903.exe	77
PID 5116 wrote to memory of 3168	5116	2hz4903.exe	77
PID 5116 wrote to memory of 3168	5116	2hz4903.exe	77
PID 5116 wrote to memory of 4472	5116	2hz4903.exe	78
PID 5116 wrote to memory of 4472	5116	2hz4903.exe	78
PID 5116 wrote to memory of 4472	5116	2hz4903.exe	78
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79
PID 5116 wrote to memory of 4960	5116	2hz4903.exe	79

C:\Users\Admin\AppData\Local\Temp\169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69.exe
"C:\Users\Admin\AppData\Local\Temp\169d79da4e8402b437363ba18888e33a460a0cadbd9487c7fcfe550410131e69.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PJ4cc07.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PJ4cc07.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ea3BD76.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ea3BD76.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tb3YQ26.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tb3YQ26.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:308
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yB44PK8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yB44PK8.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hz4903.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hz4903.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3168
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4472
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 568
        7⤵
        Program crash
        
        PID:2632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 612
        6⤵
        Program crash
        
        PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PJ4cc07.exe

Filesize
1.4MB

MD5
fd88b3b5b534e8f3425afcaea9b18113

SHA1
e0f33349f50776709634747fe23b91cb2cd54442

SHA256
d493cdb7de2688c2a0fc04c1ea79e200e20bf2ede1ecd9c81d7505aa1553565e

SHA512
99b7d5e7db26351680479c9b3c282fbb321163355f1bdb1d85929e90a975c157e76295b06395422b4501031ae2694db7f247ab57124c97a76a76b9d01d8a4a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PJ4cc07.exe

Filesize
1.4MB

MD5
fd88b3b5b534e8f3425afcaea9b18113

SHA1
e0f33349f50776709634747fe23b91cb2cd54442

SHA256
d493cdb7de2688c2a0fc04c1ea79e200e20bf2ede1ecd9c81d7505aa1553565e

SHA512
99b7d5e7db26351680479c9b3c282fbb321163355f1bdb1d85929e90a975c157e76295b06395422b4501031ae2694db7f247ab57124c97a76a76b9d01d8a4a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ea3BD76.exe

Filesize
985KB

MD5
efd9f1d99f0c03bf79015a9b8c5190a1

SHA1
4b481fca69f852f211083808efb3ca263aed38d7

SHA256
be1bda7f0c5a5882b668134fa4a23b9b5252a37ccb3a0868b026d626ad71de8c

SHA512
4a4dde0a5afcabb6e25c74e192398dfbc017c9dbc50b5cffdfc156330b821f68ea712edff9d9015d0c0e83cf47598e9c871e7f3c1e7f7cbf688e993c03b0146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ea3BD76.exe

Filesize
985KB

MD5
efd9f1d99f0c03bf79015a9b8c5190a1

SHA1
4b481fca69f852f211083808efb3ca263aed38d7

SHA256
be1bda7f0c5a5882b668134fa4a23b9b5252a37ccb3a0868b026d626ad71de8c

SHA512
4a4dde0a5afcabb6e25c74e192398dfbc017c9dbc50b5cffdfc156330b821f68ea712edff9d9015d0c0e83cf47598e9c871e7f3c1e7f7cbf688e993c03b0146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tb3YQ26.exe

Filesize
598KB

MD5
f6755812ebf2840db82d9000913f40dc

SHA1
42f8f3584299421b963ca33f7a8d3d04b8664d92

SHA256
b766514b72a356d25391f8e4252862dfcc5fbb319efc30e2f6bbad9a997914fb

SHA512
501565124ef319c45d64926f23fbcf41ead4458344b5977bdced533b5162e4b07219cb34acd1abb40b3560cf66dc8ac44e1a4643b0497f16b681cce4e0a582bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tb3YQ26.exe

Filesize
598KB

MD5
f6755812ebf2840db82d9000913f40dc

SHA1
42f8f3584299421b963ca33f7a8d3d04b8664d92

SHA256
b766514b72a356d25391f8e4252862dfcc5fbb319efc30e2f6bbad9a997914fb

SHA512
501565124ef319c45d64926f23fbcf41ead4458344b5977bdced533b5162e4b07219cb34acd1abb40b3560cf66dc8ac44e1a4643b0497f16b681cce4e0a582bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yB44PK8.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yB44PK8.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hz4903.exe

Filesize
1.4MB

MD5
40b413629ae141b958ca579ce36ed6ec

SHA1
750bca96c232eaf3610951e9e83ea37b0c161efa

SHA256
bd975edafcefad0596c4ccbd811d0a9753247b617a5e9c046411042f9e1b9b70

SHA512
f7f2f3174ba926ad6a375b4698bad7e1339679be43a18ad2a2f6096c4d23a7ece6777550dba73126c53a41656c99ac3315fd05e9b544e5d004374e7973d980a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hz4903.exe

Filesize
1.4MB

MD5
40b413629ae141b958ca579ce36ed6ec

SHA1
750bca96c232eaf3610951e9e83ea37b0c161efa

SHA256
bd975edafcefad0596c4ccbd811d0a9753247b617a5e9c046411042f9e1b9b70

SHA512
f7f2f3174ba926ad6a375b4698bad7e1339679be43a18ad2a2f6096c4d23a7ece6777550dba73126c53a41656c99ac3315fd05e9b544e5d004374e7973d980a6

Download Submit
memory/4664-39-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-53-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-32-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-33-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-35-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-37-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-30-0x00000000049B0000-0x0000000004EAE000-memory.dmp

Filesize
5.0MB

Download
memory/4664-41-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-43-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-45-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-47-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-49-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-51-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-31-0x00000000023E0000-0x00000000023FC000-memory.dmp

Filesize
112KB

Download
memory/4664-55-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-57-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-59-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4664-60-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/4664-62-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/4664-28-0x00000000007C0000-0x00000000007DE000-memory.dmp

Filesize
120KB

Download
memory/4664-29-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/4960-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4960-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4960-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4960-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download