41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec

Analysis

max time kernel
125s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06/10/2023, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec.exe
Size

1.7MB
MD5

ade24d5fe9103f8d5bc932ac9e5a1b12
SHA1

e7126cf193a5ed3bef181a573789254f258c84bc
SHA256

41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec
SHA512

14e473f1da2b23f41dd1e0766ee59147506a25ecdb4fd2a62df0eabfcaf740bc8eda7cdf959dcd257657abcc42c9cb69c57bba0da04fc17204822296db2f794d
SSDEEP

49152:bhP+rwhDFCux5lCfVvMcA1v5Z0P3ohJYghZrM:tP+EhDF/DwcGP3oQghV

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
596	jl2bi06.exe
1260	VU2GO48.exe
4540	MU6Ik76.exe
2664	do2Pj35.exe
5000	1Vb42rw9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	do2Pj35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jl2bi06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VU2GO48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	MU6Ik76.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 4668	5000	1Vb42rw9.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3956	5000	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4668	AppLaunch.exe
4668	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 596	4224	41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec.exe	70
PID 4224 wrote to memory of 596	4224	41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec.exe	70
PID 4224 wrote to memory of 596	4224	41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec.exe	70
PID 596 wrote to memory of 1260	596	jl2bi06.exe	71
PID 596 wrote to memory of 1260	596	jl2bi06.exe	71
PID 596 wrote to memory of 1260	596	jl2bi06.exe	71
PID 1260 wrote to memory of 4540	1260	VU2GO48.exe	72
PID 1260 wrote to memory of 4540	1260	VU2GO48.exe	72
PID 1260 wrote to memory of 4540	1260	VU2GO48.exe	72
PID 4540 wrote to memory of 2664	4540	MU6Ik76.exe	73
PID 4540 wrote to memory of 2664	4540	MU6Ik76.exe	73
PID 4540 wrote to memory of 2664	4540	MU6Ik76.exe	73
PID 2664 wrote to memory of 5000	2664	do2Pj35.exe	74
PID 2664 wrote to memory of 5000	2664	do2Pj35.exe	74
PID 2664 wrote to memory of 5000	2664	do2Pj35.exe	74
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75
PID 5000 wrote to memory of 4668	5000	1Vb42rw9.exe	75

C:\Users\Admin\AppData\Local\Temp\41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec.exe
"C:\Users\Admin\AppData\Local\Temp\41f7e0470500869ec08f02dc15c617530366c87b2e9b88d737a4cc6da8b3f6ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jl2bi06.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jl2bi06.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU2GO48.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU2GO48.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU6Ik76.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU6Ik76.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\do2Pj35.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\do2Pj35.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vb42rw9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vb42rw9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 564
        7⤵
        Program crash
        
        PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jl2bi06.exe

Filesize
1.6MB

MD5
fa1d206ffbd3d61847a5524cfa4dbabb

SHA1
cd902bdeeaee1ed9e3cef49bbaeb4bd7ce1a3b25

SHA256
d965a586513532905e52a80f33c1d92b6d2cea465f773dce6e71824d4f4b437c

SHA512
75988a3b013f7d74cfe6e759274c34a793a3e707a8d8363d8eb0dd3f96f3abe5909b9c4f6dca46064d72f1d2518bde70185f643cbc06dc7bee9b1047213c3b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jl2bi06.exe

Filesize
1.6MB

MD5
fa1d206ffbd3d61847a5524cfa4dbabb

SHA1
cd902bdeeaee1ed9e3cef49bbaeb4bd7ce1a3b25

SHA256
d965a586513532905e52a80f33c1d92b6d2cea465f773dce6e71824d4f4b437c

SHA512
75988a3b013f7d74cfe6e759274c34a793a3e707a8d8363d8eb0dd3f96f3abe5909b9c4f6dca46064d72f1d2518bde70185f643cbc06dc7bee9b1047213c3b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU2GO48.exe

Filesize
1.4MB

MD5
c32257bcb317733a15199e376ab6e92d

SHA1
028497b6db187dc77f4c2ef2835e4874b61a42a4

SHA256
0a985ce00f95876b8e813db4f02450da78dbdc5cf366e62bcce24c7b8a8ec95f

SHA512
86f949d61b3881c12be26a9e074cc8d683f98cde978ff1fdac0b9ad4d3a5655a3f1e2cb0ab179bdfd2c4a72bb190563792b875c73dd1c890dc90728cd8f9f00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VU2GO48.exe

Filesize
1.4MB

MD5
c32257bcb317733a15199e376ab6e92d

SHA1
028497b6db187dc77f4c2ef2835e4874b61a42a4

SHA256
0a985ce00f95876b8e813db4f02450da78dbdc5cf366e62bcce24c7b8a8ec95f

SHA512
86f949d61b3881c12be26a9e074cc8d683f98cde978ff1fdac0b9ad4d3a5655a3f1e2cb0ab179bdfd2c4a72bb190563792b875c73dd1c890dc90728cd8f9f00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU6Ik76.exe

Filesize
1.2MB

MD5
182d8e9456bce221c940008c38b74336

SHA1
556e7557334d76d8ad02c97c602f909252e4a915

SHA256
0bb170a026c6d9a85e6df7eae645c323c2ecb2c03d6428dd291c369995b683c8

SHA512
f4552db3ce89f9895c59ead84106f8e25fb0249f639dccf03143aa1aeaeca2f997fd6c95ac3a85f68ed4b90f0ae54c9acaec1da21b24d5bd50f004807a279395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU6Ik76.exe

Filesize
1.2MB

MD5
182d8e9456bce221c940008c38b74336

SHA1
556e7557334d76d8ad02c97c602f909252e4a915

SHA256
0bb170a026c6d9a85e6df7eae645c323c2ecb2c03d6428dd291c369995b683c8

SHA512
f4552db3ce89f9895c59ead84106f8e25fb0249f639dccf03143aa1aeaeca2f997fd6c95ac3a85f68ed4b90f0ae54c9acaec1da21b24d5bd50f004807a279395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\do2Pj35.exe

Filesize
725KB

MD5
15e65ffc98187396d14046542bca8ed3

SHA1
7d6078e07f23bbdcfc0f6de0ab2ffbd489e8cbf9

SHA256
fc86d97ba0cc6787174ba872d478e33cdb9ecccb04934846606a7fde6f8290ac

SHA512
192d775dbfb7f1d97402c4e3527108c046f332b2ae7be02e215772c45c2cb147ca3174525f65fe852da1eb81b196b60bb414516bd305f6a345a8c517f8b43bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\do2Pj35.exe

Filesize
725KB

MD5
15e65ffc98187396d14046542bca8ed3

SHA1
7d6078e07f23bbdcfc0f6de0ab2ffbd489e8cbf9

SHA256
fc86d97ba0cc6787174ba872d478e33cdb9ecccb04934846606a7fde6f8290ac

SHA512
192d775dbfb7f1d97402c4e3527108c046f332b2ae7be02e215772c45c2cb147ca3174525f65fe852da1eb81b196b60bb414516bd305f6a345a8c517f8b43bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vb42rw9.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vb42rw9.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
memory/4668-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4668-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4668-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4668-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4668-43-0x0000000004D60000-0x0000000004D7E000-memory.dmp

Filesize
120KB

Download
memory/4668-44-0x0000000072980000-0x000000007306E000-memory.dmp

Filesize
6.9MB

Download
memory/4668-45-0x00000000096A0000-0x0000000009B9E000-memory.dmp

Filesize
5.0MB

Download
memory/4668-46-0x0000000006B80000-0x0000000006B9C000-memory.dmp

Filesize
112KB

Download
memory/4668-47-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-48-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-50-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-52-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-54-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-56-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-58-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-60-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-62-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-64-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-66-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-68-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-70-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-72-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-74-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/4668-83-0x0000000072980000-0x000000007306E000-memory.dmp

Filesize
6.9MB

Download
memory/4668-98-0x0000000072980000-0x000000007306E000-memory.dmp

Filesize
6.9MB

Download