d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047

Analysis

max time kernel
126s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2023, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047.exe
Size

1.5MB
MD5

0f7ab493392658ce24f83899d5d79376
SHA1

909cfda95467f4edf75d0097241a0367a9853152
SHA256

d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047
SHA512

ae446f3473b8f3dd4407893f6652fd0939c852eee12f1c7b537c4b3e31c0028d1bcc741d33e8f5cc3ce3e454db4eea60d3392be090171b90d767cc6fe4910761
SSDEEP

24576:dym/g4gFtv1JVCAcK6Jzh2Bd6qUgSCU99xh0cVvAc6FITKadtCl4OuE8+LO:4wZgFZZL6RhAU5Cs0cxd66TZdtc8

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1FS19FI5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1FS19FI5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1FS19FI5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1FS19FI5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1FS19FI5.exe

Executes dropped EXE 5 IoCs

pid	Process
4188	mh1aT89.exe
4848	xo9eg64.exe
1044	CL9Wo47.exe
3912	1FS19FI5.exe
4936	2Pe6061.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1FS19FI5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1FS19FI5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mh1aT89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xo9eg64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	CL9Wo47.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 3412	4936	2Pe6061.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
436	4936	WerFault.exe	74
5032	3412	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3912	1FS19FI5.exe
3912	1FS19FI5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	1FS19FI5.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4188	4904	d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047.exe	70
PID 4904 wrote to memory of 4188	4904	d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047.exe	70
PID 4904 wrote to memory of 4188	4904	d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047.exe	70
PID 4188 wrote to memory of 4848	4188	mh1aT89.exe	71
PID 4188 wrote to memory of 4848	4188	mh1aT89.exe	71
PID 4188 wrote to memory of 4848	4188	mh1aT89.exe	71
PID 4848 wrote to memory of 1044	4848	xo9eg64.exe	72
PID 4848 wrote to memory of 1044	4848	xo9eg64.exe	72
PID 4848 wrote to memory of 1044	4848	xo9eg64.exe	72
PID 1044 wrote to memory of 3912	1044	CL9Wo47.exe	73
PID 1044 wrote to memory of 3912	1044	CL9Wo47.exe	73
PID 1044 wrote to memory of 3912	1044	CL9Wo47.exe	73
PID 1044 wrote to memory of 4936	1044	CL9Wo47.exe	74
PID 1044 wrote to memory of 4936	1044	CL9Wo47.exe	74
PID 1044 wrote to memory of 4936	1044	CL9Wo47.exe	74
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76
PID 4936 wrote to memory of 3412	4936	2Pe6061.exe	76

C:\Users\Admin\AppData\Local\Temp\d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047.exe
"C:\Users\Admin\AppData\Local\Temp\d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh1aT89.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh1aT89.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xo9eg64.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xo9eg64.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CL9Wo47.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CL9Wo47.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1FS19FI5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1FS19FI5.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Pe6061.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Pe6061.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 568
        7⤵
        Program crash
        
        PID:5032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 140
        6⤵
        Program crash
        
        PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh1aT89.exe

Filesize
1.4MB

MD5
c4fc9476e5ed9cfc98c170f799371e55

SHA1
de679611a69b5928495291d1a0506adbf57f948a

SHA256
83f76e3f71ce3ebdd663f4d9c8bf77c2adc2fab32f49dd12d307c7f2a047c05f

SHA512
09380f7941ab4d5c1553bd0802c51b620b079b7c0b0b39406f44f0dc9e1cfc8001e81f6ce2e5ad436d955d134d2c02eaaa9fb98d4eb2ed9c9197667583674e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh1aT89.exe

Filesize
1.4MB

MD5
c4fc9476e5ed9cfc98c170f799371e55

SHA1
de679611a69b5928495291d1a0506adbf57f948a

SHA256
83f76e3f71ce3ebdd663f4d9c8bf77c2adc2fab32f49dd12d307c7f2a047c05f

SHA512
09380f7941ab4d5c1553bd0802c51b620b079b7c0b0b39406f44f0dc9e1cfc8001e81f6ce2e5ad436d955d134d2c02eaaa9fb98d4eb2ed9c9197667583674e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xo9eg64.exe

Filesize
985KB

MD5
78557648ad3033733b24c56db3ca1b59

SHA1
7ac615599746978cd41ed3f5704404962da6a4ae

SHA256
c486eeb875b58f3d33ca26ac02a770d87514869290b189446eabf45f8cb245ad

SHA512
f28837c985c16dda60f88a23ec89e302c477b73df232d1b76f6a43bcf9da8e8e9f1b5f1d9e000590ed305ff22d3355ef205978a171740b08b50f09a346a59498

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xo9eg64.exe

Filesize
985KB

MD5
78557648ad3033733b24c56db3ca1b59

SHA1
7ac615599746978cd41ed3f5704404962da6a4ae

SHA256
c486eeb875b58f3d33ca26ac02a770d87514869290b189446eabf45f8cb245ad

SHA512
f28837c985c16dda60f88a23ec89e302c477b73df232d1b76f6a43bcf9da8e8e9f1b5f1d9e000590ed305ff22d3355ef205978a171740b08b50f09a346a59498

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CL9Wo47.exe

Filesize
598KB

MD5
a89982a988293a393411e4d99673a2ba

SHA1
e88c2df0a1b24c1d2623e16c702839bb2cf2a4b7

SHA256
1c843f8fde22b567c1c50bb470749ed1739d1f00a2d126c5b88893aa9d149d8a

SHA512
09db754876a9a9ab78dd80a280710fe69eabe9657ef3e2339c11d6e05046bb0e591183a004e0a81b7ab120da558922be8c2967f814e0e5e8a4601c04d5969540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CL9Wo47.exe

Filesize
598KB

MD5
a89982a988293a393411e4d99673a2ba

SHA1
e88c2df0a1b24c1d2623e16c702839bb2cf2a4b7

SHA256
1c843f8fde22b567c1c50bb470749ed1739d1f00a2d126c5b88893aa9d149d8a

SHA512
09db754876a9a9ab78dd80a280710fe69eabe9657ef3e2339c11d6e05046bb0e591183a004e0a81b7ab120da558922be8c2967f814e0e5e8a4601c04d5969540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1FS19FI5.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1FS19FI5.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Pe6061.exe

Filesize
1.4MB

MD5
0fa07f11e0af93f1e94cf48c3b82737d

SHA1
8e42d327a97f3c45b9fdc50972f0d89eb49c77bc

SHA256
e555bd596a09e949bef918490fe32301b7098942f5adb9f4c21f56799aecde15

SHA512
2e616b877e1f2f79cc83f31021c6aedf872d7abe17b8779132ac3751122eaf2eb20b1d296579dcd8a3974f49896bbd724551358d6c195c7ad36ed79dfb477f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Pe6061.exe

Filesize
1.4MB

MD5
0fa07f11e0af93f1e94cf48c3b82737d

SHA1
8e42d327a97f3c45b9fdc50972f0d89eb49c77bc

SHA256
e555bd596a09e949bef918490fe32301b7098942f5adb9f4c21f56799aecde15

SHA512
2e616b877e1f2f79cc83f31021c6aedf872d7abe17b8779132ac3751122eaf2eb20b1d296579dcd8a3974f49896bbd724551358d6c195c7ad36ed79dfb477f0a

Download Submit
memory/3412-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3412-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3412-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3412-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3912-39-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-55-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-35-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-41-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-43-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-45-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-47-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-49-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-51-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-53-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-57-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-37-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-59-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-60-0x0000000072C50000-0x000000007333E000-memory.dmp

Filesize
6.9MB

Download
memory/3912-62-0x0000000072C50000-0x000000007333E000-memory.dmp

Filesize
6.9MB

Download
memory/3912-33-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-32-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3912-31-0x00000000024F0000-0x000000000250C000-memory.dmp

Filesize
112KB

Download
memory/3912-30-0x00000000049D0000-0x0000000004ECE000-memory.dmp

Filesize
5.0MB

Download
memory/3912-29-0x0000000072C50000-0x000000007333E000-memory.dmp

Filesize
6.9MB

Download
memory/3912-28-0x0000000000800000-0x000000000081E000-memory.dmp

Filesize
120KB

Download