a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29

General

Target

a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29.exe
Size

1.8MB
MD5

d497e2f41cf38ad130416dbffc63ad93
SHA1

a75f3b6522e9d9eefcb75ad95b39d09552cef3c8
SHA256

a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29
SHA512

b3fff015ca56888db4119ad3702943681ec1d90ed40121aedfd2ad7455a52dbc0b50c2c814695fc6a60b2e3f580e98054b6019a3f62afbdf939067fa9a3da3f8
SSDEEP

49152:gSxmRHwkFWs6oSq77CJhS+vELUIYjSe+9+AVnxkKPhdGuiXe:9UWsnSuW/HvEIT+9+AVOKPXGA

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
3536	BP4Pz91.exe
836	WM4Ru80.exe
5084	QY2gp51.exe
5008	1kx22dh4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	BP4Pz91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WM4Ru80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	QY2gp51.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 1492	5008	1kx22dh4.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	5008	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1492	AppLaunch.exe
1492	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 3536	3224	a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29.exe	70
PID 3224 wrote to memory of 3536	3224	a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29.exe	70
PID 3224 wrote to memory of 3536	3224	a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29.exe	70
PID 3536 wrote to memory of 836	3536	BP4Pz91.exe	71
PID 3536 wrote to memory of 836	3536	BP4Pz91.exe	71
PID 3536 wrote to memory of 836	3536	BP4Pz91.exe	71
PID 836 wrote to memory of 5084	836	WM4Ru80.exe	72
PID 836 wrote to memory of 5084	836	WM4Ru80.exe	72
PID 836 wrote to memory of 5084	836	WM4Ru80.exe	72
PID 5084 wrote to memory of 5008	5084	QY2gp51.exe	73
PID 5084 wrote to memory of 5008	5084	QY2gp51.exe	73
PID 5084 wrote to memory of 5008	5084	QY2gp51.exe	73
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74
PID 5008 wrote to memory of 1492	5008	1kx22dh4.exe	74

C:\Users\Admin\AppData\Local\Temp\a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29.exe
"C:\Users\Admin\AppData\Local\Temp\a26ccd5c6f8a5857b8855360a5139ce2143741aec9c8c729f845578143dcbd29.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BP4Pz91.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BP4Pz91.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WM4Ru80.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WM4Ru80.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QY2gp51.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QY2gp51.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1kx22dh4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1kx22dh4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 568
        6⤵
        Program crash
        
        PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BP4Pz91.exe

Filesize
1.7MB

MD5
a5676891eb98f31aa543d6ba646ea400

SHA1
cd8835d2b22b271e1f8ae8275354a465d8e62d97

SHA256
76a02104dd159ee05a41030df1949cec78411c487bbc2e5f3a92a502c700f507

SHA512
c29e77a1176078db89c2ac92c005b5f4aa58461b6449930036f5640702cdad30e199e5b68846204e2b51f9b6f359681dc02a194df60efa484468da45b3d00a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BP4Pz91.exe

Filesize
1.7MB

MD5
a5676891eb98f31aa543d6ba646ea400

SHA1
cd8835d2b22b271e1f8ae8275354a465d8e62d97

SHA256
76a02104dd159ee05a41030df1949cec78411c487bbc2e5f3a92a502c700f507

SHA512
c29e77a1176078db89c2ac92c005b5f4aa58461b6449930036f5640702cdad30e199e5b68846204e2b51f9b6f359681dc02a194df60efa484468da45b3d00a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WM4Ru80.exe

Filesize
1.2MB

MD5
792b2078fe3603b1a7c3cbfa5e1aa11e

SHA1
f5872dcec5eceb25dd335739eec5bdb35254d9dd

SHA256
cd7aa827693a4a32e94ab5043a2afd6fe08733d05986f70d0ed59018386a9045

SHA512
04c397993732bb1bcc5e768168da84d0970cf9724564cbd000e0e168378b9d22541255048bfab91905380dc55fa4e7858f01c22799548b8facbd25d030eabfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WM4Ru80.exe

Filesize
1.2MB

MD5
792b2078fe3603b1a7c3cbfa5e1aa11e

SHA1
f5872dcec5eceb25dd335739eec5bdb35254d9dd

SHA256
cd7aa827693a4a32e94ab5043a2afd6fe08733d05986f70d0ed59018386a9045

SHA512
04c397993732bb1bcc5e768168da84d0970cf9724564cbd000e0e168378b9d22541255048bfab91905380dc55fa4e7858f01c22799548b8facbd25d030eabfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QY2gp51.exe

Filesize
730KB

MD5
e54d9e841b00a17bbe16720e23d55be3

SHA1
0822df30ca0cb03b9cedcf5586d6e54ada03a100

SHA256
a68f8ae51ac39697027ae6496e16a67093864d3e53e64116e425af4ecfccbdce

SHA512
bd037792465c0c17938896db82cf1971ca41105925a1691d1c7f96e58a06127ea022ffe88b6bd2dd3cb4c6deaa0ee04e714b2243a0022613f2320cdc1ab745e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QY2gp51.exe

Filesize
730KB

MD5
e54d9e841b00a17bbe16720e23d55be3

SHA1
0822df30ca0cb03b9cedcf5586d6e54ada03a100

SHA256
a68f8ae51ac39697027ae6496e16a67093864d3e53e64116e425af4ecfccbdce

SHA512
bd037792465c0c17938896db82cf1971ca41105925a1691d1c7f96e58a06127ea022ffe88b6bd2dd3cb4c6deaa0ee04e714b2243a0022613f2320cdc1ab745e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1kx22dh4.exe

Filesize
1.8MB

MD5
025b8973e6def2ac71917496232a63d9

SHA1
70ea54e30f8c6a1533bee2fdd2bb5a9eb71c71a0

SHA256
5017a237dd34282e460f1216096fcdeb11496cdc81087565290c5f43da9466b0

SHA512
2da8bf36409772635286df4040934eb9f335fa81808dc3db95f4a021f95e6c3d85ca5c9ffd418cbc2d71a368d18015ef85dc83cf96b307dda4c5a7c249062bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1kx22dh4.exe

Filesize
1.8MB

MD5
025b8973e6def2ac71917496232a63d9

SHA1
70ea54e30f8c6a1533bee2fdd2bb5a9eb71c71a0

SHA256
5017a237dd34282e460f1216096fcdeb11496cdc81087565290c5f43da9466b0

SHA512
2da8bf36409772635286df4040934eb9f335fa81808dc3db95f4a021f95e6c3d85ca5c9ffd418cbc2d71a368d18015ef85dc83cf96b307dda4c5a7c249062bd7

Download Submit
memory/1492-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1492-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1492-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1492-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1492-36-0x0000000009680000-0x000000000969E000-memory.dmp

Filesize
120KB

Download
memory/1492-37-0x00000000730D0000-0x00000000737BE000-memory.dmp

Filesize
6.9MB

Download
memory/1492-38-0x0000000009D60000-0x000000000A25E000-memory.dmp

Filesize
5.0MB

Download
memory/1492-39-0x0000000009720000-0x000000000973C000-memory.dmp

Filesize
112KB

Download
memory/1492-40-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-41-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-43-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-45-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-47-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-49-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-51-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-53-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-55-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-57-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-59-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-61-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-63-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-65-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-67-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1492-76-0x00000000730D0000-0x00000000737BE000-memory.dmp

Filesize
6.9MB

Download
memory/1492-91-0x00000000730D0000-0x00000000737BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads