4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314

Analysis

max time kernel
113s
max time network
116s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2023 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314.exe
Size

1.5MB
MD5

ee839b1832559d47ca02095793c5c6e4
SHA1

74ea06a89f5ff2839d5d9dad8bd10529cc7d9c1f
SHA256

4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314
SHA512

5dca92683533551ce7bf563bd4720d5c269eb0cac9a290f1d1d2b02b1ce01cbf8c83689fecb871db4de862a597f61f17ead27d8ef1101c855ec164c0e3597f57
SSDEEP

24576:UyGD40LeXRnB6wlrHt57NK0J6Qfk+AoW6cq3kISOAqdCc80Sv0S4v0Q:jznJB6wlPc0J6Qfk+44SOoKSi0

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1vz23UP4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1vz23UP4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1vz23UP4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1vz23UP4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1vz23UP4.exe

Executes dropped EXE 5 IoCs

pid	Process
212	Qg5Dt66.exe
1928	Cw2ER49.exe
1480	ra8VZ75.exe
2248	1vz23UP4.exe
4776	2yr5957.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1vz23UP4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1vz23UP4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qg5Dt66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Cw2ER49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ra8VZ75.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4776 set thread context of 796	4776	2yr5957.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1588	4776	WerFault.exe	74
4168	796	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2248	1vz23UP4.exe
2248	1vz23UP4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	1vz23UP4.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 212	3468	4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314.exe	70
PID 3468 wrote to memory of 212	3468	4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314.exe	70
PID 3468 wrote to memory of 212	3468	4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314.exe	70
PID 212 wrote to memory of 1928	212	Qg5Dt66.exe	71
PID 212 wrote to memory of 1928	212	Qg5Dt66.exe	71
PID 212 wrote to memory of 1928	212	Qg5Dt66.exe	71
PID 1928 wrote to memory of 1480	1928	Cw2ER49.exe	72
PID 1928 wrote to memory of 1480	1928	Cw2ER49.exe	72
PID 1928 wrote to memory of 1480	1928	Cw2ER49.exe	72
PID 1480 wrote to memory of 2248	1480	ra8VZ75.exe	73
PID 1480 wrote to memory of 2248	1480	ra8VZ75.exe	73
PID 1480 wrote to memory of 2248	1480	ra8VZ75.exe	73
PID 1480 wrote to memory of 4776	1480	ra8VZ75.exe	74
PID 1480 wrote to memory of 4776	1480	ra8VZ75.exe	74
PID 1480 wrote to memory of 4776	1480	ra8VZ75.exe	74
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76
PID 4776 wrote to memory of 796	4776	2yr5957.exe	76

C:\Users\Admin\AppData\Local\Temp\4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314.exe
"C:\Users\Admin\AppData\Local\Temp\4e3a98f1862e93ff8e18a98163f15d148ae8390f564bb4602b64d167f6680314.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qg5Dt66.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qg5Dt66.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cw2ER49.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cw2ER49.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ra8VZ75.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ra8VZ75.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vz23UP4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vz23UP4.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yr5957.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yr5957.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 568
        7⤵
        Program crash
        
        PID:4168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 588
        6⤵
        Program crash
        
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qg5Dt66.exe

Filesize
1.4MB

MD5
c5ba8084a515deb88f578bfb766f785f

SHA1
8da7d3f13c4ef1d93f535d1d42de9b8dfaf98486

SHA256
88d21fe688e3300e79c997e267296ba96b089b453c416ac0f4384e458a311f8c

SHA512
fd5d41e048f3c5d2ca73775887ad94b83b1d2ea83f9c57ecbc1f774a8ba19ebc636737b45ecc14e2550f317494d2c4a09cb98ac86ac38237a69ca1be002723fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qg5Dt66.exe

Filesize
1.4MB

MD5
c5ba8084a515deb88f578bfb766f785f

SHA1
8da7d3f13c4ef1d93f535d1d42de9b8dfaf98486

SHA256
88d21fe688e3300e79c997e267296ba96b089b453c416ac0f4384e458a311f8c

SHA512
fd5d41e048f3c5d2ca73775887ad94b83b1d2ea83f9c57ecbc1f774a8ba19ebc636737b45ecc14e2550f317494d2c4a09cb98ac86ac38237a69ca1be002723fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cw2ER49.exe

Filesize
985KB

MD5
b3ffde6f0972fc4000dd528f64ace2cf

SHA1
030321dfcab17ae27c17188afbc88f8e11c4e18a

SHA256
09801b14a760bf4ea43b2b4f06e4e204b3f326ae44e285099441cf8a04d05005

SHA512
f34c202955d202d3b7698bf8ef16926441110170e0aa13aab2a3423eca256ec8b615463f9f4b659f1c1f19239c747de2b96a73fb30781250f49cfeb4d9bded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cw2ER49.exe

Filesize
985KB

MD5
b3ffde6f0972fc4000dd528f64ace2cf

SHA1
030321dfcab17ae27c17188afbc88f8e11c4e18a

SHA256
09801b14a760bf4ea43b2b4f06e4e204b3f326ae44e285099441cf8a04d05005

SHA512
f34c202955d202d3b7698bf8ef16926441110170e0aa13aab2a3423eca256ec8b615463f9f4b659f1c1f19239c747de2b96a73fb30781250f49cfeb4d9bded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ra8VZ75.exe

Filesize
598KB

MD5
ec7f6f4c2934b4b2e520ed6b32fd179c

SHA1
5b24f828333cbbb265860d39236c4e021c0fb99c

SHA256
ff798d800b76009398c385717ca8a81f8cd9419cf2a869a0eb34ab648700a6d4

SHA512
8dd2c07abb2518dacce8e6b87d7b62bdd9420525297ffd1bc4f82387a7611d3ebfdc5a7b22e25b774708d3a5c52e1c9745c849f711c3a5b1196fecd9b88519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ra8VZ75.exe

Filesize
598KB

MD5
ec7f6f4c2934b4b2e520ed6b32fd179c

SHA1
5b24f828333cbbb265860d39236c4e021c0fb99c

SHA256
ff798d800b76009398c385717ca8a81f8cd9419cf2a869a0eb34ab648700a6d4

SHA512
8dd2c07abb2518dacce8e6b87d7b62bdd9420525297ffd1bc4f82387a7611d3ebfdc5a7b22e25b774708d3a5c52e1c9745c849f711c3a5b1196fecd9b88519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vz23UP4.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vz23UP4.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yr5957.exe

Filesize
1.4MB

MD5
ac31cc6deae8ebbaf8a1971903771a4d

SHA1
4fcff0869288fda4ca8128f9e2304e046b85aea2

SHA256
05ed97d5ccf9e38b95c335d8b3c5bb49c4ef6a223da29c815579db152f272197

SHA512
46c4f57fad7223bf2aefa1ff120b71dadda0f0b3f1cdddfdfcd44e8eabd40983ae61335b48ca7ef0639445f042f69cbba26b4a740755c1ce019533c58ea4dfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yr5957.exe

Filesize
1.4MB

MD5
ac31cc6deae8ebbaf8a1971903771a4d

SHA1
4fcff0869288fda4ca8128f9e2304e046b85aea2

SHA256
05ed97d5ccf9e38b95c335d8b3c5bb49c4ef6a223da29c815579db152f272197

SHA512
46c4f57fad7223bf2aefa1ff120b71dadda0f0b3f1cdddfdfcd44e8eabd40983ae61335b48ca7ef0639445f042f69cbba26b4a740755c1ce019533c58ea4dfd2

Download Submit
memory/796-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/796-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/796-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/796-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2248-39-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-57-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-35-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-41-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-45-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-43-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-47-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-49-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-51-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-53-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-55-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-37-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-59-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-60-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-62-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-33-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-32-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2248-31-0x00000000020F0000-0x000000000210C000-memory.dmp

Filesize
112KB

Download
memory/2248-30-0x0000000004A10000-0x0000000004F0E000-memory.dmp

Filesize
5.0MB

Download
memory/2248-29-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-28-0x00000000008D0000-0x00000000008EE000-memory.dmp

Filesize
120KB

Download