59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe
Size

1.2MB
MD5

163985de9028b7e872e3dbf9a4818481
SHA1

6262de9c22e2021501d04c77aefc1ff8095323dc
SHA256

59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18
SHA512

2bb8bc6a14bd3cb5384741e8677b0bee6242eca67c9df3be1610811ae5db37719d6abf60f90fad7570fa333bc6c2a4f22abc3e7a56444f70371f8f39ef3ea97e
SSDEEP

24576:CylqNBbYuyIKBXychE1Obl1f55N/L7phmEt40dUvkRHoy:pl2YnRBXxzbDnhmG4zvkRH

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 2 IoCs

pid	Process
1736	Sn7dK66.exe
3068	1ho43nT5.exe

Loads dropped DLL 9 IoCs

pid	Process
2216	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe
1736	Sn7dK66.exe
1736	Sn7dK66.exe
1736	Sn7dK66.exe
3068	1ho43nT5.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Sn7dK66.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2636	3068	1ho43nT5.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	3068	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	AppLaunch.exe
2636	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1736	2216	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe	28
PID 2216 wrote to memory of 1736	2216	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe	28
PID 2216 wrote to memory of 1736	2216	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe	28
PID 2216 wrote to memory of 1736	2216	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe	28
PID 2216 wrote to memory of 1736	2216	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe	28
PID 2216 wrote to memory of 1736	2216	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe	28
PID 2216 wrote to memory of 1736	2216	59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe	28
PID 1736 wrote to memory of 3068	1736	Sn7dK66.exe	29
PID 1736 wrote to memory of 3068	1736	Sn7dK66.exe	29
PID 1736 wrote to memory of 3068	1736	Sn7dK66.exe	29
PID 1736 wrote to memory of 3068	1736	Sn7dK66.exe	29
PID 1736 wrote to memory of 3068	1736	Sn7dK66.exe	29
PID 1736 wrote to memory of 3068	1736	Sn7dK66.exe	29
PID 1736 wrote to memory of 3068	1736	Sn7dK66.exe	29
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2636	3068	1ho43nT5.exe	30
PID 3068 wrote to memory of 2792	3068	1ho43nT5.exe	31
PID 3068 wrote to memory of 2792	3068	1ho43nT5.exe	31
PID 3068 wrote to memory of 2792	3068	1ho43nT5.exe	31
PID 3068 wrote to memory of 2792	3068	1ho43nT5.exe	31
PID 3068 wrote to memory of 2792	3068	1ho43nT5.exe	31
PID 3068 wrote to memory of 2792	3068	1ho43nT5.exe	31
PID 3068 wrote to memory of 2792	3068	1ho43nT5.exe	31

C:\Users\Admin\AppData\Local\Temp\59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe
"C:\Users\Admin\AppData\Local\Temp\59834117acb260fecdf9504f7fcbc66aa17f3ac4ec5a57e146a7fb6670c65b18_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sn7dK66.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sn7dK66.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 284
      4⤵
      Loads dropped DLL
      Program crash
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sn7dK66.exe

Filesize
734KB

MD5
a4c9ca7ded040755b878da1e7e615def

SHA1
9098193eb341146e1b23a221a090459bf73ca163

SHA256
3f40f90815adc3d305aa274f44a749dc7a43a1963b2ff738df29253a877de749

SHA512
8c04026294eec9ea16fb4e88d70a6b28f8dc37897e653561be2b484ac4481c16e1b00dbbd4f9bfc6af92bb6900a5873c2ca37242a25e7f6af2c66b7705842abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sn7dK66.exe

Filesize
734KB

MD5
a4c9ca7ded040755b878da1e7e615def

SHA1
9098193eb341146e1b23a221a090459bf73ca163

SHA256
3f40f90815adc3d305aa274f44a749dc7a43a1963b2ff738df29253a877de749

SHA512
8c04026294eec9ea16fb4e88d70a6b28f8dc37897e653561be2b484ac4481c16e1b00dbbd4f9bfc6af92bb6900a5873c2ca37242a25e7f6af2c66b7705842abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sn7dK66.exe

Filesize
734KB

MD5
a4c9ca7ded040755b878da1e7e615def

SHA1
9098193eb341146e1b23a221a090459bf73ca163

SHA256
3f40f90815adc3d305aa274f44a749dc7a43a1963b2ff738df29253a877de749

SHA512
8c04026294eec9ea16fb4e88d70a6b28f8dc37897e653561be2b484ac4481c16e1b00dbbd4f9bfc6af92bb6900a5873c2ca37242a25e7f6af2c66b7705842abc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sn7dK66.exe

Filesize
734KB

MD5
a4c9ca7ded040755b878da1e7e615def

SHA1
9098193eb341146e1b23a221a090459bf73ca163

SHA256
3f40f90815adc3d305aa274f44a749dc7a43a1963b2ff738df29253a877de749

SHA512
8c04026294eec9ea16fb4e88d70a6b28f8dc37897e653561be2b484ac4481c16e1b00dbbd4f9bfc6af92bb6900a5873c2ca37242a25e7f6af2c66b7705842abc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ho43nT5.exe

Filesize
1.8MB

MD5
dd4b0ac3a6da09aea56606bf8c1f047c

SHA1
d9ba22a1159857849d7da1e238f08d7bc25d692b

SHA256
8733237591badc909ae3c0411875ae30b58619a50d3b5e9dcb1e207690f77af7

SHA512
4630dc4c3c4d33734016e086fe5741f62ba940e27ab9d7eaeebd65b019d837928ca39d10dc43bc153b1edf344854186c7079b3809722bbafda9d9213dd031e3b

Download Submit
memory/2636-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-73-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-43-0x00000000003A0000-0x00000000003BE000-memory.dmp

Filesize
120KB

Download
memory/2636-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-45-0x0000000000C10000-0x0000000000C2C000-memory.dmp

Filesize
112KB

Download
memory/2636-47-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-57-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-63-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-71-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-69-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-67-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-65-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-61-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-59-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-55-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-53-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-51-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-49-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-46-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2636-74-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-75-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download