f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3

Analysis

max time kernel
117s
max time network
125s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
10/10/2023, 11:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3.exe
Size

1.2MB
MD5

768ea902b8a19de2479cefe8ee38ab5b
SHA1

f422ee01f7cc935f68a8d4718c4fc01a8fb78972
SHA256

f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3
SHA512

f43ced8dcc3fd999feb514fdca3ed3a782421e3c836c278fe33c7a66188e4a0f71f6a78317ea0699aab8be9b5b5aba61ae9a0ee838eebdc742e28d77f8d7aa91
SSDEEP

24576:nyiHHhbGu/cb7n7AG2Amah8Qaf24x5KXYmGbd4cAYAn:yihb9+0G2A5h8QafvXcRGO0

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1RE40cp9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1RE40cp9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1RE40cp9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1RE40cp9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1RE40cp9.exe

Executes dropped EXE 5 IoCs

pid	Process
4200	za6up07.exe
4912	wj7cP36.exe
4264	EP7BG61.exe
5040	1RE40cp9.exe
2332	2gS8319.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1RE40cp9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1RE40cp9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	EP7BG61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za6up07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wj7cP36.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 3232	2332	2gS8319.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2584	2332	WerFault.exe	73
4848	3232	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5040	1RE40cp9.exe
5040	1RE40cp9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	1RE40cp9.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4200	4872	f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3.exe	69
PID 4872 wrote to memory of 4200	4872	f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3.exe	69
PID 4872 wrote to memory of 4200	4872	f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3.exe	69
PID 4200 wrote to memory of 4912	4200	za6up07.exe	70
PID 4200 wrote to memory of 4912	4200	za6up07.exe	70
PID 4200 wrote to memory of 4912	4200	za6up07.exe	70
PID 4912 wrote to memory of 4264	4912	wj7cP36.exe	71
PID 4912 wrote to memory of 4264	4912	wj7cP36.exe	71
PID 4912 wrote to memory of 4264	4912	wj7cP36.exe	71
PID 4264 wrote to memory of 5040	4264	EP7BG61.exe	72
PID 4264 wrote to memory of 5040	4264	EP7BG61.exe	72
PID 4264 wrote to memory of 5040	4264	EP7BG61.exe	72
PID 4264 wrote to memory of 2332	4264	EP7BG61.exe	73
PID 4264 wrote to memory of 2332	4264	EP7BG61.exe	73
PID 4264 wrote to memory of 2332	4264	EP7BG61.exe	73
PID 2332 wrote to memory of 3268	2332	2gS8319.exe	74
PID 2332 wrote to memory of 3268	2332	2gS8319.exe	74
PID 2332 wrote to memory of 3268	2332	2gS8319.exe	74
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75
PID 2332 wrote to memory of 3232	2332	2gS8319.exe	75

C:\Users\Admin\AppData\Local\Temp\f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3.exe
"C:\Users\Admin\AppData\Local\Temp\f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za6up07.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za6up07.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wj7cP36.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wj7cP36.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EP7BG61.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EP7BG61.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RE40cp9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RE40cp9.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2gS8319.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2gS8319.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3268
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 568
        7⤵
        Program crash
        
        PID:4848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 576
        6⤵
        Program crash
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za6up07.exe

Filesize
1.0MB

MD5
5f6f2e90497891c3e2a4a5659fc6ec10

SHA1
e9d66d8765a11ac1aa96c6272bbb165978359b8b

SHA256
e2188146b25739570613fb57161003ab8ce3dfd4111d119e723ab27615dec20f

SHA512
6837d97a550d2d867f90f39b5ee8e3b6e4b367f8661cd0f48d4c7f39b8bc540e2ac407296066577e950ddb90ee8a391785c8f3f2dac62b8a689c1408136da861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za6up07.exe

Filesize
1.0MB

MD5
5f6f2e90497891c3e2a4a5659fc6ec10

SHA1
e9d66d8765a11ac1aa96c6272bbb165978359b8b

SHA256
e2188146b25739570613fb57161003ab8ce3dfd4111d119e723ab27615dec20f

SHA512
6837d97a550d2d867f90f39b5ee8e3b6e4b367f8661cd0f48d4c7f39b8bc540e2ac407296066577e950ddb90ee8a391785c8f3f2dac62b8a689c1408136da861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wj7cP36.exe

Filesize
744KB

MD5
0f45f794a6725a0f950c0ed7e15d0fd8

SHA1
aa1f7d406e748457b0d0ff383387eeeb7709dbba

SHA256
f8a32f3d67b2d962a15f1df2e4553ae1a57edae0ae9c626beed6b127b497834a

SHA512
c62740744e38ab25674d3d832e9e7bcb9c2c4e3e8c848df8549bf717aa661b216824a654a5bea91dba42353ba109ee3a59115fc502aa7ada802ce066f0273085

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wj7cP36.exe

Filesize
744KB

MD5
0f45f794a6725a0f950c0ed7e15d0fd8

SHA1
aa1f7d406e748457b0d0ff383387eeeb7709dbba

SHA256
f8a32f3d67b2d962a15f1df2e4553ae1a57edae0ae9c626beed6b127b497834a

SHA512
c62740744e38ab25674d3d832e9e7bcb9c2c4e3e8c848df8549bf717aa661b216824a654a5bea91dba42353ba109ee3a59115fc502aa7ada802ce066f0273085

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EP7BG61.exe

Filesize
492KB

MD5
51a06520d3d4b04e7e0339c88780f502

SHA1
2c06643b4af99b109c2ef1c27033a8c2e749e4ee

SHA256
0e755659628cf59713982d70026d09b730777c3de22d0c17cb2a6599324400de

SHA512
06849b668e64c356a8e1f1ef178db6dfd400f004a018c243f2d925b8b1ce0b22dd721b5be3d0a80d6f036521067d48cb78711d04ba44d170e04ce5a34b9daab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EP7BG61.exe

Filesize
492KB

MD5
51a06520d3d4b04e7e0339c88780f502

SHA1
2c06643b4af99b109c2ef1c27033a8c2e749e4ee

SHA256
0e755659628cf59713982d70026d09b730777c3de22d0c17cb2a6599324400de

SHA512
06849b668e64c356a8e1f1ef178db6dfd400f004a018c243f2d925b8b1ce0b22dd721b5be3d0a80d6f036521067d48cb78711d04ba44d170e04ce5a34b9daab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RE40cp9.exe

Filesize
194KB

MD5
6241b03d68a610324ecda52f0f84e287

SHA1
da80280b6e3925e455925efd6c6e59a6118269c4

SHA256
ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

SHA512
a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RE40cp9.exe

Filesize
194KB

MD5
6241b03d68a610324ecda52f0f84e287

SHA1
da80280b6e3925e455925efd6c6e59a6118269c4

SHA256
ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

SHA512
a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2gS8319.exe

Filesize
446KB

MD5
d4deda2731d5874e222a6d3a6aeb0b7f

SHA1
437b5aaa25608bd89a2aac85174718e8448873b4

SHA256
93003b640af4060989df99edbd3b39a10bd44230157270bad40bd170f0a7eb45

SHA512
4009b34a8f9a5a59fa907b05752ba93c8f6ddc0995b3abab188524dff6e6f92a71e127fd24323aaca58f1ee996e2243913f14a6c6f9db3e936d40d5ae64cacf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2gS8319.exe

Filesize
446KB

MD5
d4deda2731d5874e222a6d3a6aeb0b7f

SHA1
437b5aaa25608bd89a2aac85174718e8448873b4

SHA256
93003b640af4060989df99edbd3b39a10bd44230157270bad40bd170f0a7eb45

SHA512
4009b34a8f9a5a59fa907b05752ba93c8f6ddc0995b3abab188524dff6e6f92a71e127fd24323aaca58f1ee996e2243913f14a6c6f9db3e936d40d5ae64cacf1

Download Submit
memory/3232-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-39-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-57-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-35-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-41-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-43-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-45-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-47-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-49-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-51-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-53-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-55-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-37-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-59-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-60-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/5040-62-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/5040-33-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-32-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/5040-31-0x0000000004930000-0x000000000494C000-memory.dmp

Filesize
112KB

Download
memory/5040-30-0x0000000004A00000-0x0000000004EFE000-memory.dmp

Filesize
5.0MB

Download
memory/5040-29-0x0000000002290000-0x00000000022AE000-memory.dmp

Filesize
120KB

Download
memory/5040-28-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download