10bff39f9f63fb26bd3cb9eef5add86fe1ba8007c0d03d7a09cebb8ea4c39358

Analysis

max time kernel
195s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 04:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.5MB
MD5

5f9567ab294d3a3ec16962968b23e547
SHA1

68ea4052344324bb374fa4c1d71411512a913ac2
SHA256

10bff39f9f63fb26bd3cb9eef5add86fe1ba8007c0d03d7a09cebb8ea4c39358
SHA512

0e4a3ea420eb1105b58eaef6eb2601c48dfdb2847630d97f71c52f115f04098562d3f3f3e2af08e976c9a70ef39cea24477436d5fd86fe92c1979eebb8860702
SSDEEP

24576:7yYxZ0IUKv+tcI/4U2C2C4foJKnFVDxXskdBc1xq82+hTjT/NtqzTJ2Js:uaRbI/b2C2C4rnvxccBc1Q82eTjTbqzO

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1jC77UA6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1jC77UA6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1jC77UA6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1jC77UA6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1jC77UA6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1jC77UA6.exe

Executes dropped EXE 5 IoCs

pid	Process
3272	ZI8GG82.exe
3516	FX3JK55.exe
4300	BE1iS88.exe
3860	1jC77UA6.exe
4960	2bo8530.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1jC77UA6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1jC77UA6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ZI8GG82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	FX3JK55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	BE1iS88.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3860	1jC77UA6.exe
3860	1jC77UA6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	1jC77UA6.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3272	4980	file.exe	87
PID 4980 wrote to memory of 3272	4980	file.exe	87
PID 4980 wrote to memory of 3272	4980	file.exe	87
PID 3272 wrote to memory of 3516	3272	ZI8GG82.exe	89
PID 3272 wrote to memory of 3516	3272	ZI8GG82.exe	89
PID 3272 wrote to memory of 3516	3272	ZI8GG82.exe	89
PID 3516 wrote to memory of 4300	3516	FX3JK55.exe	90
PID 3516 wrote to memory of 4300	3516	FX3JK55.exe	90
PID 3516 wrote to memory of 4300	3516	FX3JK55.exe	90
PID 4300 wrote to memory of 3860	4300	BE1iS88.exe	91
PID 4300 wrote to memory of 3860	4300	BE1iS88.exe	91
PID 4300 wrote to memory of 3860	4300	BE1iS88.exe	91
PID 4300 wrote to memory of 4960	4300	BE1iS88.exe	102
PID 4300 wrote to memory of 4960	4300	BE1iS88.exe	102
PID 4300 wrote to memory of 4960	4300	BE1iS88.exe	102

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI8GG82.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI8GG82.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FX3JK55.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FX3JK55.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE1iS88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE1iS88.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jC77UA6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jC77UA6.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bo8530.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bo8530.exe
        5⤵
        Executes dropped EXE
        
        PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI8GG82.exe

Filesize
1.3MB

MD5
b0feaf42428a9c9525db0021da9a4829

SHA1
4795a9f20beeb3de5168da55ce54f1af35cc650e

SHA256
fbffe5d848f7d79dc91a4385e68ee967c9ca5a7c273dc955b2593dfe84b0913a

SHA512
678dc8eb1df648814ba89ac2d62121bec217ae59453b01fc6b80f6f60a0bbed47c7274a2552b355a71bcfc3c4ccd0ddce4e7279e5581887d1426d21e7fbb771b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI8GG82.exe

Filesize
1.3MB

MD5
b0feaf42428a9c9525db0021da9a4829

SHA1
4795a9f20beeb3de5168da55ce54f1af35cc650e

SHA256
fbffe5d848f7d79dc91a4385e68ee967c9ca5a7c273dc955b2593dfe84b0913a

SHA512
678dc8eb1df648814ba89ac2d62121bec217ae59453b01fc6b80f6f60a0bbed47c7274a2552b355a71bcfc3c4ccd0ddce4e7279e5581887d1426d21e7fbb771b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FX3JK55.exe

Filesize
839KB

MD5
5c381e78eddc9069b2631f13fd957b41

SHA1
f9ad21582f50ed3c756559b49c3dad1247e7f7b4

SHA256
8549a28a8d4310e5c4a7fef5e9621a12c34e05a0fecc224d47d8e2f72378a01c

SHA512
fe37841fa671a209b72d0feab37a5b85c5a7712a7171cb5ba01aca38ce47bdc1a32f581837a2c12dff4c4db9bf4a6a5a44cbfc97e1bf1c44589aad0c27084991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FX3JK55.exe

Filesize
839KB

MD5
5c381e78eddc9069b2631f13fd957b41

SHA1
f9ad21582f50ed3c756559b49c3dad1247e7f7b4

SHA256
8549a28a8d4310e5c4a7fef5e9621a12c34e05a0fecc224d47d8e2f72378a01c

SHA512
fe37841fa671a209b72d0feab37a5b85c5a7712a7171cb5ba01aca38ce47bdc1a32f581837a2c12dff4c4db9bf4a6a5a44cbfc97e1bf1c44589aad0c27084991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE1iS88.exe

Filesize
362KB

MD5
fe7df10201be20ceb9cb920bf44c4756

SHA1
84135bd55f2e95bbbb33f7747da65c633612773d

SHA256
4dce95492aed21434d065b84a47f0c4e6a714bd6a762bf2eef355acaaf4c5501

SHA512
673000a390394cd2deeab2fa0aa7c6b10a210493b9ce847730b0467647e92e569124067f6bc1ad308f72a1b106b17c1beb77f019beb5da380217fadaa514264a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE1iS88.exe

Filesize
362KB

MD5
fe7df10201be20ceb9cb920bf44c4756

SHA1
84135bd55f2e95bbbb33f7747da65c633612773d

SHA256
4dce95492aed21434d065b84a47f0c4e6a714bd6a762bf2eef355acaaf4c5501

SHA512
673000a390394cd2deeab2fa0aa7c6b10a210493b9ce847730b0467647e92e569124067f6bc1ad308f72a1b106b17c1beb77f019beb5da380217fadaa514264a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jC77UA6.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jC77UA6.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bo8530.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bo8530.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
memory/3860-38-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-47-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-32-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/3860-33-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3860-34-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3860-35-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3860-36-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3860-37-0x0000000005090000-0x00000000050AC000-memory.dmp

Filesize
112KB

Download
memory/3860-30-0x0000000002180000-0x000000000219E000-memory.dmp

Filesize
120KB

Download
memory/3860-39-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-41-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-45-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-43-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-31-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3860-49-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-51-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-53-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-55-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-57-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-59-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-61-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-63-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-65-0x0000000005090000-0x00000000050A6000-memory.dmp

Filesize
88KB

Download
memory/3860-67-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3860-29-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3860-28-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download