3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa

Analysis

max time kernel
127s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2023 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa.exe
Size

1.8MB
MD5

e7d050576a5b6e710198b6a55c6db85d
SHA1

aed3bf7d37a6d2efcd1e32c63a6045e331b34ecb
SHA256

3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa
SHA512

2a0fdfe6abe50ed7a6b0fa5ca358a0003da6f7fb992c3b65d7a4dd71d51b8d0a697c6718891cd4d93c82941e7144633939ad6ac95c659d15c43f61c38e54a8a2
SSDEEP

49152:LIJSkiB6EAVkIpgPEAAtGZtG5MgGGpVyAKJ0PCa:MXiwvLFAbt2MidNC

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1IL72Ht3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1IL72Ht3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1IL72Ht3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1IL72Ht3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1IL72Ht3.exe

Executes dropped EXE 5 IoCs

pid	Process
3684	zo0So68.exe
1116	JI7ZB89.exe
240	uO5fE63.exe
4240	1IL72Ht3.exe
4232	2nQ2053.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1IL72Ht3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1IL72Ht3.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zo0So68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	JI7ZB89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	uO5fE63.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 2280	4232	2nQ2053.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3812	4232	WerFault.exe	74
424	2280	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4240	1IL72Ht3.exe
4240	1IL72Ht3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	1IL72Ht3.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 3684	836	3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa.exe	70
PID 836 wrote to memory of 3684	836	3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa.exe	70
PID 836 wrote to memory of 3684	836	3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa.exe	70
PID 3684 wrote to memory of 1116	3684	zo0So68.exe	71
PID 3684 wrote to memory of 1116	3684	zo0So68.exe	71
PID 3684 wrote to memory of 1116	3684	zo0So68.exe	71
PID 1116 wrote to memory of 240	1116	JI7ZB89.exe	72
PID 1116 wrote to memory of 240	1116	JI7ZB89.exe	72
PID 1116 wrote to memory of 240	1116	JI7ZB89.exe	72
PID 240 wrote to memory of 4240	240	uO5fE63.exe	73
PID 240 wrote to memory of 4240	240	uO5fE63.exe	73
PID 240 wrote to memory of 4240	240	uO5fE63.exe	73
PID 240 wrote to memory of 4232	240	uO5fE63.exe	74
PID 240 wrote to memory of 4232	240	uO5fE63.exe	74
PID 240 wrote to memory of 4232	240	uO5fE63.exe	74
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75
PID 4232 wrote to memory of 2280	4232	2nQ2053.exe	75

C:\Users\Admin\AppData\Local\Temp\3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa.exe
"C:\Users\Admin\AppData\Local\Temp\3c2ada8704508c3b60b26ff97dac350eefc7902ed6ab3c430d413f2333e9acfa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zo0So68.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zo0So68.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI7ZB89.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI7ZB89.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uO5fE63.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uO5fE63.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:240
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1IL72Ht3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1IL72Ht3.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2nQ2053.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2nQ2053.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4232
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 568
        7⤵
        Program crash
        
        PID:424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 588
        6⤵
        Program crash
        
        PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zo0So68.exe

Filesize
1.7MB

MD5
eafd1d4b6772e8624b0b4e05eb3992d6

SHA1
14a32cfb21608c7e95f0d61625f3f2a643c556bb

SHA256
f3704b5d7155f3fb830fa835bb090b2ddf4c1df6f23eb83abb0ca36d48fef12f

SHA512
7217f699a2547a8331509ef3d62f6fd23831b8253e3f0e4ed37234387c44282da07d6710ec2ce3d8e0a797a873c5bada39ee9f58bc6061c339f939acb11c033b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zo0So68.exe

Filesize
1.7MB

MD5
eafd1d4b6772e8624b0b4e05eb3992d6

SHA1
14a32cfb21608c7e95f0d61625f3f2a643c556bb

SHA256
f3704b5d7155f3fb830fa835bb090b2ddf4c1df6f23eb83abb0ca36d48fef12f

SHA512
7217f699a2547a8331509ef3d62f6fd23831b8253e3f0e4ed37234387c44282da07d6710ec2ce3d8e0a797a873c5bada39ee9f58bc6061c339f939acb11c033b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI7ZB89.exe

Filesize
1.1MB

MD5
3d3d81288630ed394c69279a6949367f

SHA1
18c9abc44f6a0bd5f01ee7e256d6329214fca331

SHA256
ca22ecec1a6c5f5cfcb08731e3ea9a920b28f68037f14ecb6d06a42f0999f9fe

SHA512
1b78efb3ba75d7fc1a85f09010c1f019e32d85d703db3085a4b850512066f52132b25d42ddafd8b08e703d7f43f05eaa66ec3e35f0e83b6b278c4cb8102935f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JI7ZB89.exe

Filesize
1.1MB

MD5
3d3d81288630ed394c69279a6949367f

SHA1
18c9abc44f6a0bd5f01ee7e256d6329214fca331

SHA256
ca22ecec1a6c5f5cfcb08731e3ea9a920b28f68037f14ecb6d06a42f0999f9fe

SHA512
1b78efb3ba75d7fc1a85f09010c1f019e32d85d703db3085a4b850512066f52132b25d42ddafd8b08e703d7f43f05eaa66ec3e35f0e83b6b278c4cb8102935f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uO5fE63.exe

Filesize
689KB

MD5
15b71d89eb90db529e1d264a5c2e398a

SHA1
3ab2aeeb606b8aad73bfaf99a95505686ec47961

SHA256
13d6c38b660129eb6ed270991ed33051a7bdbc3f39975c63c6056cd47e107064

SHA512
503c7dce43b71422b58caba6ea7aae36c606458d252eb61b6bb405e70c39518185e34f331d32b8ed2fbe9300de87ef6375196211d9daf5ae996d3ad43aa57c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uO5fE63.exe

Filesize
689KB

MD5
15b71d89eb90db529e1d264a5c2e398a

SHA1
3ab2aeeb606b8aad73bfaf99a95505686ec47961

SHA256
13d6c38b660129eb6ed270991ed33051a7bdbc3f39975c63c6056cd47e107064

SHA512
503c7dce43b71422b58caba6ea7aae36c606458d252eb61b6bb405e70c39518185e34f331d32b8ed2fbe9300de87ef6375196211d9daf5ae996d3ad43aa57c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1IL72Ht3.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1IL72Ht3.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2nQ2053.exe

Filesize
1.8MB

MD5
1b526f348462f0e94a2c9ef3039f3768

SHA1
fbe94dc3a86134f4c9223d08c9ed9f86ba074f71

SHA256
ca674fa3f868781b6f264c3e9b70d156d611370b702078fd625b46031a160daa

SHA512
3a631e57c1d895ba95acf0e4988e9b9208c3e812852d53ca6d19828825eb84ad103e00b4b00fb57e00c63866168432bdead8f994fd44a636b7b7e73e13e9c16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2nQ2053.exe

Filesize
1.8MB

MD5
1b526f348462f0e94a2c9ef3039f3768

SHA1
fbe94dc3a86134f4c9223d08c9ed9f86ba074f71

SHA256
ca674fa3f868781b6f264c3e9b70d156d611370b702078fd625b46031a160daa

SHA512
3a631e57c1d895ba95acf0e4988e9b9208c3e812852d53ca6d19828825eb84ad103e00b4b00fb57e00c63866168432bdead8f994fd44a636b7b7e73e13e9c16d

Download Submit
memory/2280-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2280-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2280-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2280-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4240-39-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-57-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-35-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-41-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-43-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-45-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-47-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-49-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-51-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-53-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-55-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-37-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-59-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-60-0x0000000072BD0000-0x00000000732BE000-memory.dmp

Filesize
6.9MB

Download
memory/4240-62-0x0000000072BD0000-0x00000000732BE000-memory.dmp

Filesize
6.9MB

Download
memory/4240-33-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-32-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4240-31-0x0000000004A70000-0x0000000004A8C000-memory.dmp

Filesize
112KB

Download
memory/4240-30-0x0000000004BC0000-0x00000000050BE000-memory.dmp

Filesize
5.0MB

Download
memory/4240-28-0x0000000002480000-0x000000000249E000-memory.dmp

Filesize
120KB

Download
memory/4240-29-0x0000000072BD0000-0x00000000732BE000-memory.dmp

Filesize
6.9MB

Download