a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18

General

Target

a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18.exe
Size

1.8MB
MD5

fdb81886ae7c656822136d957db873a4
SHA1

b102d88e64e3e6df1a1da415e0d9f490ba160820
SHA256

a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18
SHA512

bd6e7c834d4d9b4bf9fe36283fb433897774d7ed4dd43276942c0ab4ef14f7c1924c18ee7d323adf75e3bbc0fcddc4d3067bbb38e0ac721d1703650cc9cf5e52
SSDEEP

49152:2mgjMzHehaTQvMlY2f77KE9SfJLTfyth:9lMJeD7t9sy7

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
2848	dZ2hX48.exe
876	RK5ZG46.exe
4356	nW3Fn11.exe
4340	1WB63rK8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	RK5ZG46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nW3Fn11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dZ2hX48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 3096	4340	1WB63rK8.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3604	4340	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3096	AppLaunch.exe
3096	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2848	2776	a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18.exe	70
PID 2776 wrote to memory of 2848	2776	a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18.exe	70
PID 2776 wrote to memory of 2848	2776	a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18.exe	70
PID 2848 wrote to memory of 876	2848	dZ2hX48.exe	71
PID 2848 wrote to memory of 876	2848	dZ2hX48.exe	71
PID 2848 wrote to memory of 876	2848	dZ2hX48.exe	71
PID 876 wrote to memory of 4356	876	RK5ZG46.exe	72
PID 876 wrote to memory of 4356	876	RK5ZG46.exe	72
PID 876 wrote to memory of 4356	876	RK5ZG46.exe	72
PID 4356 wrote to memory of 4340	4356	nW3Fn11.exe	73
PID 4356 wrote to memory of 4340	4356	nW3Fn11.exe	73
PID 4356 wrote to memory of 4340	4356	nW3Fn11.exe	73
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74
PID 4340 wrote to memory of 3096	4340	1WB63rK8.exe	74

C:\Users\Admin\AppData\Local\Temp\a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18.exe
"C:\Users\Admin\AppData\Local\Temp\a3787d1e7c003d843f375b411d66eddcd371ece6c4ad795b8c6207a47c8a4d18.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dZ2hX48.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dZ2hX48.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RK5ZG46.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RK5ZG46.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW3Fn11.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW3Fn11.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WB63rK8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WB63rK8.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 560
        6⤵
        Program crash
        
        PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dZ2hX48.exe

Filesize
1.7MB

MD5
5b5dcd726536a650afc41e69d5d3dfa1

SHA1
3a9bac0573becaf624cf565f753480eb1ad0b9b6

SHA256
7081fbdf34a88389a2dad55d951e43c690658663b2b560800ba089986977e718

SHA512
edd908692deb6d60797c509cab29be6b0a02f8e786727ac64c287648e9e6386f43e6bc6a3ba5d682719cfc81f0ed687fff45ae55467274c2e873591319b9d546

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dZ2hX48.exe

Filesize
1.7MB

MD5
5b5dcd726536a650afc41e69d5d3dfa1

SHA1
3a9bac0573becaf624cf565f753480eb1ad0b9b6

SHA256
7081fbdf34a88389a2dad55d951e43c690658663b2b560800ba089986977e718

SHA512
edd908692deb6d60797c509cab29be6b0a02f8e786727ac64c287648e9e6386f43e6bc6a3ba5d682719cfc81f0ed687fff45ae55467274c2e873591319b9d546

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RK5ZG46.exe

Filesize
1.2MB

MD5
941cd7ae5c24433db9f8966ab713f530

SHA1
26500a6eb00f64b81160b75b011b921c092cb97b

SHA256
547e69c90de37a991cb7d42c146049af77768163b69f30d97f842d22a269c175

SHA512
e556c90132cad33f81939d3347de23bb79ce2462dcd527e2966405f0867920da0af86c2772cc98c424243382f4626f15ab3222a44c34d49c360ff3af56dbd344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RK5ZG46.exe

Filesize
1.2MB

MD5
941cd7ae5c24433db9f8966ab713f530

SHA1
26500a6eb00f64b81160b75b011b921c092cb97b

SHA256
547e69c90de37a991cb7d42c146049af77768163b69f30d97f842d22a269c175

SHA512
e556c90132cad33f81939d3347de23bb79ce2462dcd527e2966405f0867920da0af86c2772cc98c424243382f4626f15ab3222a44c34d49c360ff3af56dbd344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW3Fn11.exe

Filesize
725KB

MD5
62b4275e1c81b947d8ec0051b4a74426

SHA1
3c7d19a5f18c741ae07501edf59ed030b7d44acb

SHA256
bf4c91c619936ba4426f723c1afcccd01078e9adf1b315c0e11c729730a6c1bf

SHA512
313077119552a8a289e93256389d8812cc90d06b12361f81e5e507fdf4ec7c2445436aaab91efb1db205b318e9254a809eb9895811e2e596582457ba2016ea50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW3Fn11.exe

Filesize
725KB

MD5
62b4275e1c81b947d8ec0051b4a74426

SHA1
3c7d19a5f18c741ae07501edf59ed030b7d44acb

SHA256
bf4c91c619936ba4426f723c1afcccd01078e9adf1b315c0e11c729730a6c1bf

SHA512
313077119552a8a289e93256389d8812cc90d06b12361f81e5e507fdf4ec7c2445436aaab91efb1db205b318e9254a809eb9895811e2e596582457ba2016ea50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WB63rK8.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WB63rK8.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
memory/3096-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3096-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3096-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3096-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3096-37-0x0000000072A90000-0x000000007317E000-memory.dmp

Filesize
6.9MB

Download
memory/3096-36-0x0000000006E50000-0x0000000006E6E000-memory.dmp

Filesize
120KB

Download
memory/3096-38-0x0000000009C60000-0x000000000A15E000-memory.dmp

Filesize
5.0MB

Download
memory/3096-39-0x00000000095A0000-0x00000000095BC000-memory.dmp

Filesize
112KB

Download
memory/3096-40-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-41-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-43-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-45-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-47-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-49-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-51-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-55-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-53-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-57-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-59-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-61-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-63-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-65-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-67-0x00000000095A0000-0x00000000095B6000-memory.dmp

Filesize
88KB

Download
memory/3096-76-0x0000000072A90000-0x000000007317E000-memory.dmp

Filesize
6.9MB

Download
memory/3096-610-0x0000000072A90000-0x000000007317E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads