0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453

Analysis

max time kernel
126s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2023, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453.exe
Size

1.5MB
MD5

28015be964c07433319685b9a33a44c1
SHA1

aa499e7114a3b694f3180acd0393b7fdd1314354
SHA256

0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453
SHA512

d8bfc98f23b0652b6e4020e07581e274c294b1bb98a7f25d3013aaacbcbc395451b21d0737c8acb711fcc4af4bdb71cbb33b62e77d8b6ac08a85209a5a45e9e5
SSDEEP

24576:CyDa7dF1T/ftVEeO4VhgVbBa3lNu/ICyiHCfP1bR/fyAJkq6jmvnlV8leyufXbgu:p+RNVK4BPu/iiHCfXfyAJ8m3eMcI+Pu

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1Ml18Oh4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1Ml18Oh4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1Ml18Oh4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1Ml18Oh4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1Ml18Oh4.exe

Executes dropped EXE 5 IoCs

pid	Process
2936	yV7pW49.exe
852	Id0BX66.exe
3356	Cn6Iu18.exe
4444	1Ml18Oh4.exe
4964	2il4588.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1Ml18Oh4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1Ml18Oh4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yV7pW49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Id0BX66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Cn6Iu18.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4964 set thread context of 4832	4964	2il4588.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3496	4964	WerFault.exe	74
5104	4832	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	1Ml18Oh4.exe
4444	1Ml18Oh4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	1Ml18Oh4.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2936	2076	0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453.exe	70
PID 2076 wrote to memory of 2936	2076	0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453.exe	70
PID 2076 wrote to memory of 2936	2076	0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453.exe	70
PID 2936 wrote to memory of 852	2936	yV7pW49.exe	71
PID 2936 wrote to memory of 852	2936	yV7pW49.exe	71
PID 2936 wrote to memory of 852	2936	yV7pW49.exe	71
PID 852 wrote to memory of 3356	852	Id0BX66.exe	72
PID 852 wrote to memory of 3356	852	Id0BX66.exe	72
PID 852 wrote to memory of 3356	852	Id0BX66.exe	72
PID 3356 wrote to memory of 4444	3356	Cn6Iu18.exe	73
PID 3356 wrote to memory of 4444	3356	Cn6Iu18.exe	73
PID 3356 wrote to memory of 4444	3356	Cn6Iu18.exe	73
PID 3356 wrote to memory of 4964	3356	Cn6Iu18.exe	74
PID 3356 wrote to memory of 4964	3356	Cn6Iu18.exe	74
PID 3356 wrote to memory of 4964	3356	Cn6Iu18.exe	74
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76
PID 4964 wrote to memory of 4832	4964	2il4588.exe	76

C:\Users\Admin\AppData\Local\Temp\0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453.exe
"C:\Users\Admin\AppData\Local\Temp\0502ca4d4b48c386a1041e9b9fc5990270f22de19baef4958b005d9381ee5453.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yV7pW49.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yV7pW49.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Id0BX66.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Id0BX66.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cn6Iu18.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cn6Iu18.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ml18Oh4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ml18Oh4.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2il4588.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2il4588.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 568
        7⤵
        Program crash
        
        PID:5104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 584
        6⤵
        Program crash
        
        PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yV7pW49.exe

Filesize
1.4MB

MD5
6709d6b75b1b4e17f4efd23d47fca046

SHA1
2c43773aee74ee54a1caefbd70f3c6518a739987

SHA256
9b83936ca3d20482c57cb4209b4564fb6e5cb7008785b23be55cb8517e63a6d4

SHA512
fe5a5e6ed8b893fea9e8aec0c6d8fadb3e2596898e675cdcd51c58bf7d142f1650e0971a50968fb6f368f095f4653a08d0c36a025161f20ba8ade3cd2b8ed84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yV7pW49.exe

Filesize
1.4MB

MD5
6709d6b75b1b4e17f4efd23d47fca046

SHA1
2c43773aee74ee54a1caefbd70f3c6518a739987

SHA256
9b83936ca3d20482c57cb4209b4564fb6e5cb7008785b23be55cb8517e63a6d4

SHA512
fe5a5e6ed8b893fea9e8aec0c6d8fadb3e2596898e675cdcd51c58bf7d142f1650e0971a50968fb6f368f095f4653a08d0c36a025161f20ba8ade3cd2b8ed84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Id0BX66.exe

Filesize
985KB

MD5
73a498dfbd78463e525c4f82cb3469fa

SHA1
54a96b63802e768b88783aea356846bc4166cb18

SHA256
71b217ccd3155697f9be4c3ff7fcf148554eb12c2aae8cc76d3503ed092b51bd

SHA512
e6582ecfbc00492eeacefeafde3b739ad3c00da529bdcbc45f74e3abeaaea31cb5f3c3018598e10fc9f3378d7492a2ec54ee0f7211cb0df67aa677694a70d58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Id0BX66.exe

Filesize
985KB

MD5
73a498dfbd78463e525c4f82cb3469fa

SHA1
54a96b63802e768b88783aea356846bc4166cb18

SHA256
71b217ccd3155697f9be4c3ff7fcf148554eb12c2aae8cc76d3503ed092b51bd

SHA512
e6582ecfbc00492eeacefeafde3b739ad3c00da529bdcbc45f74e3abeaaea31cb5f3c3018598e10fc9f3378d7492a2ec54ee0f7211cb0df67aa677694a70d58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cn6Iu18.exe

Filesize
598KB

MD5
6614aa84cd4f9d3476256f4b8fb9b43f

SHA1
626a6b2990d9cb4a6b6e26243ad8f4b5aaf93318

SHA256
9452fd4308bced51fb4f16693be3cae317dd71075f80ea6f486ca2976f0c44c7

SHA512
1d211b07c28026967a6ca2dd09a1532449a6edf11fd7f33d1ca56727ede5d621f570f4a4aabbcc3c4828b6f66dd16642f76e9194ecdd96b9130c2c370aa3204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cn6Iu18.exe

Filesize
598KB

MD5
6614aa84cd4f9d3476256f4b8fb9b43f

SHA1
626a6b2990d9cb4a6b6e26243ad8f4b5aaf93318

SHA256
9452fd4308bced51fb4f16693be3cae317dd71075f80ea6f486ca2976f0c44c7

SHA512
1d211b07c28026967a6ca2dd09a1532449a6edf11fd7f33d1ca56727ede5d621f570f4a4aabbcc3c4828b6f66dd16642f76e9194ecdd96b9130c2c370aa3204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ml18Oh4.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ml18Oh4.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2il4588.exe

Filesize
1.4MB

MD5
0e27b44f7e884bbca7dbf46052d20154

SHA1
b9cc7e40f72ce6f67bf8d745f9feddadea1caa09

SHA256
0e118670fcc7015be4cc24f4dac4061e4d7652d2bfdf272822ef8d59b7972dfc

SHA512
ab6132a85aaa1bb38a96905d9371460a44c4dd17cf6a623bf64395e4f35e32ac3d4d3053c3ad13dc3260b301e894ab1f911106845a7f1faf182f78956c8d97c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2il4588.exe

Filesize
1.4MB

MD5
0e27b44f7e884bbca7dbf46052d20154

SHA1
b9cc7e40f72ce6f67bf8d745f9feddadea1caa09

SHA256
0e118670fcc7015be4cc24f4dac4061e4d7652d2bfdf272822ef8d59b7972dfc

SHA512
ab6132a85aaa1bb38a96905d9371460a44c4dd17cf6a623bf64395e4f35e32ac3d4d3053c3ad13dc3260b301e894ab1f911106845a7f1faf182f78956c8d97c1

Download Submit
memory/4444-39-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-53-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-32-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-33-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-35-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-37-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-30-0x0000000004B50000-0x000000000504E000-memory.dmp

Filesize
5.0MB

Download
memory/4444-41-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-43-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-45-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-47-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-49-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-51-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-31-0x0000000004A70000-0x0000000004A8C000-memory.dmp

Filesize
112KB

Download
memory/4444-55-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-57-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-59-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4444-60-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/4444-62-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/4444-28-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/4444-29-0x00000000021D0000-0x00000000021EE000-memory.dmp

Filesize
120KB

Download
memory/4832-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4832-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4832-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4832-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download