2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392

Analysis

max time kernel
109s
max time network
112s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2023, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392.exe
Size

1.5MB
MD5

45a9512b7444017009e5b01143618542
SHA1

033bba437b5d5a4d351584dbafb215c5fa1d9e97
SHA256

2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392
SHA512

6c392c5630cdabf2e8be2c512eef500d525887ee62567abe018a137b73a2b4c436ec94a4291fce270937e724244d285a62b2c348c67654c7ecd845c2875c130e
SSDEEP

24576:9yjf6xQvDXm6U3VpqzYnbczFR5+2lMmF7AUk5PZnNH7Q21teuy9aqzpphtGmbb:Yj1bR5+2lMfxZnNHs21Hy9aMpRGmb

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1Gc06SO3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1Gc06SO3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1Gc06SO3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1Gc06SO3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1Gc06SO3.exe

Executes dropped EXE 5 IoCs

pid	Process
2256	gq7rB29.exe
3872	Mm0cQ99.exe
208	eN0hG42.exe
4244	1Gc06SO3.exe
4036	2bc3108.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1Gc06SO3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1Gc06SO3.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Mm0cQ99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	eN0hG42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gq7rB29.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 4248	4036	2bc3108.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
836	4036	WerFault.exe	74
4280	4248	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4244	1Gc06SO3.exe
4244	1Gc06SO3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	1Gc06SO3.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2256	4856	2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392.exe	70
PID 4856 wrote to memory of 2256	4856	2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392.exe	70
PID 4856 wrote to memory of 2256	4856	2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392.exe	70
PID 2256 wrote to memory of 3872	2256	gq7rB29.exe	71
PID 2256 wrote to memory of 3872	2256	gq7rB29.exe	71
PID 2256 wrote to memory of 3872	2256	gq7rB29.exe	71
PID 3872 wrote to memory of 208	3872	Mm0cQ99.exe	72
PID 3872 wrote to memory of 208	3872	Mm0cQ99.exe	72
PID 3872 wrote to memory of 208	3872	Mm0cQ99.exe	72
PID 208 wrote to memory of 4244	208	eN0hG42.exe	73
PID 208 wrote to memory of 4244	208	eN0hG42.exe	73
PID 208 wrote to memory of 4244	208	eN0hG42.exe	73
PID 208 wrote to memory of 4036	208	eN0hG42.exe	74
PID 208 wrote to memory of 4036	208	eN0hG42.exe	74
PID 208 wrote to memory of 4036	208	eN0hG42.exe	74
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76
PID 4036 wrote to memory of 4248	4036	2bc3108.exe	76

C:\Users\Admin\AppData\Local\Temp\2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392.exe
"C:\Users\Admin\AppData\Local\Temp\2e40f39d4e60afd724d6d1572d9a01e74d2b90dd7b7e94117034301a5046f392.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gq7rB29.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gq7rB29.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mm0cQ99.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mm0cQ99.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eN0hG42.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eN0hG42.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Gc06SO3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Gc06SO3.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bc3108.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bc3108.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 568
        7⤵
        Program crash
        
        PID:4280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 584
        6⤵
        Program crash
        
        PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gq7rB29.exe

Filesize
1.4MB

MD5
3848890bf6af49cf8e07a2f6fcfff423

SHA1
986e6ff2d4d0ca14e11b25768e78cee021e3b6ae

SHA256
693fd05d2b5fd59c293ff498fde24c48bd444546d2e0a17a4aca6c9bd18505f1

SHA512
d0cacec9deade3d4e11ab64504d7d938d221dec6426eb73d3c2e291c495c7dd8039615113c561ae117a077104fcf76003650a9e67a09b4ce427bbfa555ea1f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gq7rB29.exe

Filesize
1.4MB

MD5
3848890bf6af49cf8e07a2f6fcfff423

SHA1
986e6ff2d4d0ca14e11b25768e78cee021e3b6ae

SHA256
693fd05d2b5fd59c293ff498fde24c48bd444546d2e0a17a4aca6c9bd18505f1

SHA512
d0cacec9deade3d4e11ab64504d7d938d221dec6426eb73d3c2e291c495c7dd8039615113c561ae117a077104fcf76003650a9e67a09b4ce427bbfa555ea1f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mm0cQ99.exe

Filesize
984KB

MD5
b7d23295fc99a261951fefb22dad1639

SHA1
5ae8e79246c30ef11167316c1a23d5a8684e47bd

SHA256
a2190be5c468ffd160deab11766f92cc953b12d7903dbc5e64ef645ee8869057

SHA512
e841c92f1f6b9930deeaddfd53db80ebe8425bca019c7641696e3bcd1cce084363fca94cceb6e766972cb65e6883bd989d190ca9ff46126a18ea7977550bc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mm0cQ99.exe

Filesize
984KB

MD5
b7d23295fc99a261951fefb22dad1639

SHA1
5ae8e79246c30ef11167316c1a23d5a8684e47bd

SHA256
a2190be5c468ffd160deab11766f92cc953b12d7903dbc5e64ef645ee8869057

SHA512
e841c92f1f6b9930deeaddfd53db80ebe8425bca019c7641696e3bcd1cce084363fca94cceb6e766972cb65e6883bd989d190ca9ff46126a18ea7977550bc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eN0hG42.exe

Filesize
598KB

MD5
530efe132b6f309c943e912a1b5e2a81

SHA1
ff218e496224852f08bb8d4c585273a261ec12f4

SHA256
9ee547f28d017b852baf4b4f3e932498f4f7dc33ba5096a4b1a7399f0c685f21

SHA512
3ae8051216a454d054e3baae7700e028958b57488405acb83b7983d8449075e00128827263769d274b5aca7bbd5ba46bee0a6f1c8137aba1c4a5b3ff15db2fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eN0hG42.exe

Filesize
598KB

MD5
530efe132b6f309c943e912a1b5e2a81

SHA1
ff218e496224852f08bb8d4c585273a261ec12f4

SHA256
9ee547f28d017b852baf4b4f3e932498f4f7dc33ba5096a4b1a7399f0c685f21

SHA512
3ae8051216a454d054e3baae7700e028958b57488405acb83b7983d8449075e00128827263769d274b5aca7bbd5ba46bee0a6f1c8137aba1c4a5b3ff15db2fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Gc06SO3.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Gc06SO3.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bc3108.exe

Filesize
1.4MB

MD5
80436c5ed517b5fd4587acf60d9b48de

SHA1
80a8e884254786626e5002b486509c63833c82c9

SHA256
a8d717c9ef2d8ba12da7aec8d031dcbd2fe5cad7e725487cd3a479a7abd1cbc1

SHA512
1582eec77fe717a2fb5fdeec9f8d918b511f439ce5402d88343c4ec6d2604de25750437ed8480f75c6254bed71e63bd69ca9f5ef6c2fa1edbb516b861c289168

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bc3108.exe

Filesize
1.4MB

MD5
80436c5ed517b5fd4587acf60d9b48de

SHA1
80a8e884254786626e5002b486509c63833c82c9

SHA256
a8d717c9ef2d8ba12da7aec8d031dcbd2fe5cad7e725487cd3a479a7abd1cbc1

SHA512
1582eec77fe717a2fb5fdeec9f8d918b511f439ce5402d88343c4ec6d2604de25750437ed8480f75c6254bed71e63bd69ca9f5ef6c2fa1edbb516b861c289168

Download Submit
memory/4244-39-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-53-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-32-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-35-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-33-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-37-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-30-0x0000000004D30000-0x000000000522E000-memory.dmp

Filesize
5.0MB

Download
memory/4244-41-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-43-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-45-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-47-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-49-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-51-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-31-0x00000000007E0000-0x00000000007FC000-memory.dmp

Filesize
112KB

Download
memory/4244-55-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-57-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-59-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4244-60-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/4244-62-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/4244-29-0x0000000000670000-0x000000000068E000-memory.dmp

Filesize
120KB

Download
memory/4244-28-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/4248-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4248-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4248-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4248-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download