1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb

Analysis

max time kernel
122s
max time network
127s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06/10/2023, 06:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb.exe
Size

1.7MB
MD5

c99e79b699fa25b034f69dbd06b4e6c4
SHA1

c50714059b22caf29d085d186bfa43b92218687e
SHA256

1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb
SHA512

2d8dc01e4fa91cc8030c3c62364f81163aefda70883be61f86110206508a067cb4a738dd3c67263712399baba4f4ea08b550e4f6e2491b8370b90d727406653f
SSDEEP

49152:PVSx3hRclG4arNG8o8vMelm1x2wyWqeB0ndG37r:wNixarQiTArRyWqeB0dG37r

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
4520	Rd5Rm04.exe
1656	ni7fL07.exe
864	vF1kC46.exe
3868	cN8sm31.exe
3824	1KF07jV4.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rd5Rm04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ni7fL07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	vF1kC46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	cN8sm31.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3824 set thread context of 3664	3824	1KF07jV4.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
244	3824	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3664	AppLaunch.exe
3664	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4520	3996	1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb.exe	70
PID 3996 wrote to memory of 4520	3996	1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb.exe	70
PID 3996 wrote to memory of 4520	3996	1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb.exe	70
PID 4520 wrote to memory of 1656	4520	Rd5Rm04.exe	71
PID 4520 wrote to memory of 1656	4520	Rd5Rm04.exe	71
PID 4520 wrote to memory of 1656	4520	Rd5Rm04.exe	71
PID 1656 wrote to memory of 864	1656	ni7fL07.exe	72
PID 1656 wrote to memory of 864	1656	ni7fL07.exe	72
PID 1656 wrote to memory of 864	1656	ni7fL07.exe	72
PID 864 wrote to memory of 3868	864	vF1kC46.exe	73
PID 864 wrote to memory of 3868	864	vF1kC46.exe	73
PID 864 wrote to memory of 3868	864	vF1kC46.exe	73
PID 3868 wrote to memory of 3824	3868	cN8sm31.exe	74
PID 3868 wrote to memory of 3824	3868	cN8sm31.exe	74
PID 3868 wrote to memory of 3824	3868	cN8sm31.exe	74
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75
PID 3824 wrote to memory of 3664	3824	1KF07jV4.exe	75

C:\Users\Admin\AppData\Local\Temp\1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb.exe
"C:\Users\Admin\AppData\Local\Temp\1324a2c62066f1d9295d78b999ae028ec5ee12c1125375d3e091e3d0b208e5eb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rd5Rm04.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rd5Rm04.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ni7fL07.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ni7fL07.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vF1kC46.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vF1kC46.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cN8sm31.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cN8sm31.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KF07jV4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KF07jV4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 560
        7⤵
        Program crash
        
        PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rd5Rm04.exe

Filesize
1.6MB

MD5
c8fa7be3e326569e806e96dd902171ec

SHA1
224a793934c283dc01bb28f11f8122a2811b5896

SHA256
ed66b879a02d771dba5f4f8cf32548bea4c6c6574f640f84ef346db9b7577ba3

SHA512
3a354c6df1e3204c84bea69be0f3e340cd01c009bc56a776a5e2ff051e3eb2928a325eb63a718ca5f4515eef74c97c532c47516a161799f2e971b32e05ac327b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rd5Rm04.exe

Filesize
1.6MB

MD5
c8fa7be3e326569e806e96dd902171ec

SHA1
224a793934c283dc01bb28f11f8122a2811b5896

SHA256
ed66b879a02d771dba5f4f8cf32548bea4c6c6574f640f84ef346db9b7577ba3

SHA512
3a354c6df1e3204c84bea69be0f3e340cd01c009bc56a776a5e2ff051e3eb2928a325eb63a718ca5f4515eef74c97c532c47516a161799f2e971b32e05ac327b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ni7fL07.exe

Filesize
1.4MB

MD5
8839ff28e8c3c35cb7e455ecd802b922

SHA1
719ce6cffaeaa0f61ec9c9ec5dc211641e0d18b1

SHA256
b304118c11a75579a6d11837206dbd14380b7e1150e6e96b8d7e0ff2cd469241

SHA512
2d18cd0b1ae54e7bbefcc848dfbbf063140fd55978d6b432bb13e87efe81b5f80a20022ecce4fee876667dd6fde416ca96196a2499c28b2de964d2f44c5cd4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ni7fL07.exe

Filesize
1.4MB

MD5
8839ff28e8c3c35cb7e455ecd802b922

SHA1
719ce6cffaeaa0f61ec9c9ec5dc211641e0d18b1

SHA256
b304118c11a75579a6d11837206dbd14380b7e1150e6e96b8d7e0ff2cd469241

SHA512
2d18cd0b1ae54e7bbefcc848dfbbf063140fd55978d6b432bb13e87efe81b5f80a20022ecce4fee876667dd6fde416ca96196a2499c28b2de964d2f44c5cd4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vF1kC46.exe

Filesize
1.2MB

MD5
95041b4ef4fd5097a2a3f93bcdba771c

SHA1
e40e43ff8ee0f93b218b72228c6c4579488042cd

SHA256
3c5383ab669ca8e78bb04c17a13672002923cc8e6169c2b1e0745398c817e8d8

SHA512
75deb64d762136ef8dfdf81844d390a8ae7712f1d010d9d351f2f8579d08bebc0a56fbeffa6aa98e0a3d8efe175ee9c4a437f97e169747bb26c683651238ae36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vF1kC46.exe

Filesize
1.2MB

MD5
95041b4ef4fd5097a2a3f93bcdba771c

SHA1
e40e43ff8ee0f93b218b72228c6c4579488042cd

SHA256
3c5383ab669ca8e78bb04c17a13672002923cc8e6169c2b1e0745398c817e8d8

SHA512
75deb64d762136ef8dfdf81844d390a8ae7712f1d010d9d351f2f8579d08bebc0a56fbeffa6aa98e0a3d8efe175ee9c4a437f97e169747bb26c683651238ae36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cN8sm31.exe

Filesize
725KB

MD5
c5aceb3cbdfb53d2f5abaab38c91b1a5

SHA1
d16a5e5ffc70b34d5f7261c9c45ab95301d23c3a

SHA256
e9c122cd2ae80a49174e772830e481354d8287ecafe84bbdb5e2a55f8aa71054

SHA512
ee716a82a96f991bf9ff119f31a9f683a4da1803a708578d483ab87631f17169c9d28015fc7434ffc580edd2f44ab1c109d1aaeb32092f303223fd870720d844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cN8sm31.exe

Filesize
725KB

MD5
c5aceb3cbdfb53d2f5abaab38c91b1a5

SHA1
d16a5e5ffc70b34d5f7261c9c45ab95301d23c3a

SHA256
e9c122cd2ae80a49174e772830e481354d8287ecafe84bbdb5e2a55f8aa71054

SHA512
ee716a82a96f991bf9ff119f31a9f683a4da1803a708578d483ab87631f17169c9d28015fc7434ffc580edd2f44ab1c109d1aaeb32092f303223fd870720d844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KF07jV4.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KF07jV4.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
memory/3664-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3664-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3664-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3664-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3664-43-0x0000000000F20000-0x0000000000F3E000-memory.dmp

Filesize
120KB

Download
memory/3664-44-0x0000000072E30000-0x000000007351E000-memory.dmp

Filesize
6.9MB

Download
memory/3664-45-0x00000000094E0000-0x00000000099DE000-memory.dmp

Filesize
5.0MB

Download
memory/3664-46-0x00000000067B0000-0x00000000067CC000-memory.dmp

Filesize
112KB

Download
memory/3664-47-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-48-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-50-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-52-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-54-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-56-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-58-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-60-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-62-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-64-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-66-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-68-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-70-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-72-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-74-0x00000000067B0000-0x00000000067C6000-memory.dmp

Filesize
88KB

Download
memory/3664-83-0x0000000072E30000-0x000000007351E000-memory.dmp

Filesize
6.9MB

Download
memory/3664-98-0x0000000072E30000-0x000000007351E000-memory.dmp

Filesize
6.9MB

Download