9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b

General

Target

9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b.exe
Size

1.9MB
MD5

8664d58aade098cbb69d372425345bd0
SHA1

5aae99c1772ba3708d689bd211551c14160360db
SHA256

9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b
SHA512

15eff359cdf613d2629aba7e10e6db6a3173a61ffa0d5c67b2c60c2acf1f91d72f78f3a87191b0ce725a753e533fa9fb75274de74c6c63cd1149019de2e66819
SSDEEP

49152:LRY+JJbrVVLGsRlOLIlMBkDJAIqy1j8uc8yzHEaNeTaW:1BrVZGsX9lAk1Gy1jtc8yzHO

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
4940	RJ0Hd24.exe
768	XU7oe83.exe
4536	yR5qu83.exe
4856	1iM26Rp5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RJ0Hd24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	XU7oe83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	yR5qu83.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 4872	4856	1iM26Rp5.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3416	4856	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4872	AppLaunch.exe
4872	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4940	3588	9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b.exe	70
PID 3588 wrote to memory of 4940	3588	9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b.exe	70
PID 3588 wrote to memory of 4940	3588	9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b.exe	70
PID 4940 wrote to memory of 768	4940	RJ0Hd24.exe	71
PID 4940 wrote to memory of 768	4940	RJ0Hd24.exe	71
PID 4940 wrote to memory of 768	4940	RJ0Hd24.exe	71
PID 768 wrote to memory of 4536	768	XU7oe83.exe	72
PID 768 wrote to memory of 4536	768	XU7oe83.exe	72
PID 768 wrote to memory of 4536	768	XU7oe83.exe	72
PID 4536 wrote to memory of 4856	4536	yR5qu83.exe	73
PID 4536 wrote to memory of 4856	4536	yR5qu83.exe	73
PID 4536 wrote to memory of 4856	4536	yR5qu83.exe	73
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74
PID 4856 wrote to memory of 4872	4856	1iM26Rp5.exe	74

C:\Users\Admin\AppData\Local\Temp\9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b.exe
"C:\Users\Admin\AppData\Local\Temp\9f902bc60775f4883f454f703a29776a0c8d5728aa0dda90c4cfba6173e3732b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RJ0Hd24.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RJ0Hd24.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XU7oe83.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XU7oe83.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yR5qu83.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yR5qu83.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1iM26Rp5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1iM26Rp5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 560
        6⤵
        Program crash
        
        PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RJ0Hd24.exe

Filesize
1.7MB

MD5
8fbf1240ce350a749a91389634b867cc

SHA1
d4286223db98011c5176ad39134ced69e5c51fc6

SHA256
53e6bfe58ccc320d3d90b25820f82f1954b8b437e53e9a3e4290d231fca52cde

SHA512
38b11383bffe8c7b36385d71be2b121938deb1369488fff993c8ff800e21e1a4e9375dffd9becfbbcb30543d46f34868879e76a8c4ff87c44f31d4f42572769d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RJ0Hd24.exe

Filesize
1.7MB

MD5
8fbf1240ce350a749a91389634b867cc

SHA1
d4286223db98011c5176ad39134ced69e5c51fc6

SHA256
53e6bfe58ccc320d3d90b25820f82f1954b8b437e53e9a3e4290d231fca52cde

SHA512
38b11383bffe8c7b36385d71be2b121938deb1369488fff993c8ff800e21e1a4e9375dffd9becfbbcb30543d46f34868879e76a8c4ff87c44f31d4f42572769d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XU7oe83.exe

Filesize
1.2MB

MD5
bb2e1ebd4fd636b6a514b4ca7f459fe5

SHA1
ce6fd631f0b7f5f4408411e69fc8e7da5f74d19a

SHA256
48114f8b17b66de4560ed3d580776891ad48b2cce5fe339c1c532093109f4c5d

SHA512
ad84bfb59addf85fccc347531992b6b5e1dccc9e7608617432da5f768020b9197db917f1fb793349e007a86b78fb77d9912594cc0500ac8e45fabb41cb78aaa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XU7oe83.exe

Filesize
1.2MB

MD5
bb2e1ebd4fd636b6a514b4ca7f459fe5

SHA1
ce6fd631f0b7f5f4408411e69fc8e7da5f74d19a

SHA256
48114f8b17b66de4560ed3d580776891ad48b2cce5fe339c1c532093109f4c5d

SHA512
ad84bfb59addf85fccc347531992b6b5e1dccc9e7608617432da5f768020b9197db917f1fb793349e007a86b78fb77d9912594cc0500ac8e45fabb41cb78aaa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yR5qu83.exe

Filesize
742KB

MD5
2e799493a697e5a803478be68b64acaf

SHA1
c93bf7aa030ba0c60fc9b56d5e461b0104291f58

SHA256
b3af5a289e8ac8a770f45eeb347a8645231e6558d00fb9f93333de66248399f3

SHA512
7dd18137c59eba3150cf2f7ac31be58489c4335839c7290091559028636e52f8dad3a2ea7d2f5486ae874c9492ea9439b7076f19a68af6bde5073808c08d8f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yR5qu83.exe

Filesize
742KB

MD5
2e799493a697e5a803478be68b64acaf

SHA1
c93bf7aa030ba0c60fc9b56d5e461b0104291f58

SHA256
b3af5a289e8ac8a770f45eeb347a8645231e6558d00fb9f93333de66248399f3

SHA512
7dd18137c59eba3150cf2f7ac31be58489c4335839c7290091559028636e52f8dad3a2ea7d2f5486ae874c9492ea9439b7076f19a68af6bde5073808c08d8f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1iM26Rp5.exe

Filesize
1.8MB

MD5
83e4ea04b62c66a99e17aafa7fc3546d

SHA1
6fed86de43920825f50be4570a2af264d377f695

SHA256
d1710893a0b41877d4e888638012b358095f4a443b50267b0627b5e61bfb5f0b

SHA512
08650f7065844e089879946d14547f9a4edd0626a25a0c936eb61ba9e45ef561799ac017e61a2d137590c921e72084bb8c071a6a9921bc93f07fd1521af4020f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1iM26Rp5.exe

Filesize
1.8MB

MD5
83e4ea04b62c66a99e17aafa7fc3546d

SHA1
6fed86de43920825f50be4570a2af264d377f695

SHA256
d1710893a0b41877d4e888638012b358095f4a443b50267b0627b5e61bfb5f0b

SHA512
08650f7065844e089879946d14547f9a4edd0626a25a0c936eb61ba9e45ef561799ac017e61a2d137590c921e72084bb8c071a6a9921bc93f07fd1521af4020f

Download Submit
memory/4872-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-37-0x0000000005740000-0x000000000575E000-memory.dmp

Filesize
120KB

Download
memory/4872-36-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/4872-38-0x0000000009EF0000-0x000000000A3EE000-memory.dmp

Filesize
5.0MB

Download
memory/4872-39-0x00000000073C0000-0x00000000073DC000-memory.dmp

Filesize
112KB

Download
memory/4872-40-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-41-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-43-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-45-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-49-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-47-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-51-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-53-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-55-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-57-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-59-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-63-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-61-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-65-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-67-0x00000000073C0000-0x00000000073D6000-memory.dmp

Filesize
88KB

Download
memory/4872-76-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/4872-91-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads