875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9

Analysis

max time kernel
71s
max time network
80s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2023 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9.exe
Size

1.5MB
MD5

8bb20d4e09b3344eac08ad66691c6770
SHA1

e033c261a034083ce3376445f87cf829a512779d
SHA256

875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9
SHA512

91cb117de385e9ec39a286c67c4d35bc2149d7407a277d45e87742cd8cd234db5f9582e268fa582ae2df54cc1e6e89882092f36c4100390e63841f0459d47572
SSDEEP

49152:SQGDTF1z6XT1NDuAOQpOUTQ4CXH8YNq+:/G91OXDDuA7phs4CsH

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1AY01Ov0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1AY01Ov0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1AY01Ov0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1AY01Ov0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1AY01Ov0.exe

Executes dropped EXE 5 IoCs

pid	Process
4836	UR1dj17.exe
4376	aU8yR49.exe
2448	Py0by64.exe
1796	1AY01Ov0.exe
1348	2qU0592.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1AY01Ov0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1AY01Ov0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	UR1dj17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	aU8yR49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Py0by64.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 2284	1348	2qU0592.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3528	1348	WerFault.exe	73
4920	2284	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1796	1AY01Ov0.exe
1796	1AY01Ov0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	1AY01Ov0.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4836	5008	875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9.exe	69
PID 5008 wrote to memory of 4836	5008	875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9.exe	69
PID 5008 wrote to memory of 4836	5008	875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9.exe	69
PID 4836 wrote to memory of 4376	4836	UR1dj17.exe	70
PID 4836 wrote to memory of 4376	4836	UR1dj17.exe	70
PID 4836 wrote to memory of 4376	4836	UR1dj17.exe	70
PID 4376 wrote to memory of 2448	4376	aU8yR49.exe	71
PID 4376 wrote to memory of 2448	4376	aU8yR49.exe	71
PID 4376 wrote to memory of 2448	4376	aU8yR49.exe	71
PID 2448 wrote to memory of 1796	2448	Py0by64.exe	72
PID 2448 wrote to memory of 1796	2448	Py0by64.exe	72
PID 2448 wrote to memory of 1796	2448	Py0by64.exe	72
PID 2448 wrote to memory of 1348	2448	Py0by64.exe	73
PID 2448 wrote to memory of 1348	2448	Py0by64.exe	73
PID 2448 wrote to memory of 1348	2448	Py0by64.exe	73
PID 1348 wrote to memory of 2312	1348	2qU0592.exe	75
PID 1348 wrote to memory of 2312	1348	2qU0592.exe	75
PID 1348 wrote to memory of 2312	1348	2qU0592.exe	75
PID 1348 wrote to memory of 2316	1348	2qU0592.exe	76
PID 1348 wrote to memory of 2316	1348	2qU0592.exe	76
PID 1348 wrote to memory of 2316	1348	2qU0592.exe	76
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77
PID 1348 wrote to memory of 2284	1348	2qU0592.exe	77

C:\Users\Admin\AppData\Local\Temp\875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9.exe
"C:\Users\Admin\AppData\Local\Temp\875acc02acd3a639781675dc82c3aaaf9707370189ce92044cea2cc74ff28ea9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UR1dj17.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UR1dj17.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aU8yR49.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aU8yR49.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Py0by64.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Py0by64.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AY01Ov0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AY01Ov0.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qU0592.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qU0592.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2312
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 568
        7⤵
        Program crash
        
        PID:4920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 584
        6⤵
        Program crash
        
        PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UR1dj17.exe

Filesize
1.4MB

MD5
c16fd04d8e5d92d405365e09011f7c39

SHA1
bac0e5f78edb8f17a4159af1bcbeb93d59e8218b

SHA256
0cf50da1bdbe7e5ff5b923cf1417b7633d685da5a1aabae672906a7ab3ec5eeb

SHA512
04a58c0297e0a8217dcc662d260189b60f9bb72eae5e9df3e82aa4993c70edf6148932b4acb65e631814be2c7de22bc5ebbca76f5036fa0c35a30d3d6d0518d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UR1dj17.exe

Filesize
1.4MB

MD5
c16fd04d8e5d92d405365e09011f7c39

SHA1
bac0e5f78edb8f17a4159af1bcbeb93d59e8218b

SHA256
0cf50da1bdbe7e5ff5b923cf1417b7633d685da5a1aabae672906a7ab3ec5eeb

SHA512
04a58c0297e0a8217dcc662d260189b60f9bb72eae5e9df3e82aa4993c70edf6148932b4acb65e631814be2c7de22bc5ebbca76f5036fa0c35a30d3d6d0518d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aU8yR49.exe

Filesize
985KB

MD5
b81a320978b25a91fe8ff58190aaf60b

SHA1
45042b8e499de34ebbd210e7ea6141a2116c25c1

SHA256
595210c8c86e78c64e72e730f7238737a45ecca2c43a9a2412d8b5b9f5407f55

SHA512
93c4406679cb7162a3acee1f4e25faf27f8ff4f3d9b5c83152cba4b651a169244bf087e82a5561285986b81893ffaf42b7690811bd3a291af1e623ec91642b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aU8yR49.exe

Filesize
985KB

MD5
b81a320978b25a91fe8ff58190aaf60b

SHA1
45042b8e499de34ebbd210e7ea6141a2116c25c1

SHA256
595210c8c86e78c64e72e730f7238737a45ecca2c43a9a2412d8b5b9f5407f55

SHA512
93c4406679cb7162a3acee1f4e25faf27f8ff4f3d9b5c83152cba4b651a169244bf087e82a5561285986b81893ffaf42b7690811bd3a291af1e623ec91642b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Py0by64.exe

Filesize
598KB

MD5
3676b7ac361f23592160d1826ea2d77e

SHA1
b3d47b6aa3f24d1db944c9cc1b3434324ea65096

SHA256
736695a937d0e264448520aeaaecd5b3d4d98967e8ccd8640877cdd00189af7f

SHA512
eb4e2ecd17509c726ce38a6d7e1d3f274993e996cc7d28a7021c229aa3f8783a38376a866d77f1b7f6a01759ee1bce18c346f7758d9eda2af3d88a44050f38a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Py0by64.exe

Filesize
598KB

MD5
3676b7ac361f23592160d1826ea2d77e

SHA1
b3d47b6aa3f24d1db944c9cc1b3434324ea65096

SHA256
736695a937d0e264448520aeaaecd5b3d4d98967e8ccd8640877cdd00189af7f

SHA512
eb4e2ecd17509c726ce38a6d7e1d3f274993e996cc7d28a7021c229aa3f8783a38376a866d77f1b7f6a01759ee1bce18c346f7758d9eda2af3d88a44050f38a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AY01Ov0.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AY01Ov0.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qU0592.exe

Filesize
1.4MB

MD5
01926d54cc0eb8699a7572f41e95ada9

SHA1
0ae1bfb05ce93b009daa8cc668fa07384822d956

SHA256
7f883f2c122abb0462c08861ea590156e47ba04f7e8690b1293b07c2a7aeed90

SHA512
46d5f4876c121835c863332fc4daf0cf6199f2298b0206defbbd601d5e41b90636f0da8dd8e8705f933497a4a344c6852bbc91588f165b81551d259445aaa92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qU0592.exe

Filesize
1.4MB

MD5
01926d54cc0eb8699a7572f41e95ada9

SHA1
0ae1bfb05ce93b009daa8cc668fa07384822d956

SHA256
7f883f2c122abb0462c08861ea590156e47ba04f7e8690b1293b07c2a7aeed90

SHA512
46d5f4876c121835c863332fc4daf0cf6199f2298b0206defbbd601d5e41b90636f0da8dd8e8705f933497a4a344c6852bbc91588f165b81551d259445aaa92b

Download Submit
memory/1796-39-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-53-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-32-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-33-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-35-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-37-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-30-0x0000000004B40000-0x000000000503E000-memory.dmp

Filesize
5.0MB

Download
memory/1796-41-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-43-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-45-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-47-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-49-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-51-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-31-0x0000000002620000-0x000000000263C000-memory.dmp

Filesize
112KB

Download
memory/1796-55-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-57-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-59-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/1796-60-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/1796-62-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/1796-28-0x0000000002170000-0x000000000218E000-memory.dmp

Filesize
120KB

Download
memory/1796-29-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2284-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2284-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2284-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download