6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 17:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe
Size

1.2MB
MD5

023053c19248de6723201a06cbba104f
SHA1

9ec4c5af9f467dd647af08ae9d6d184823d8ef76
SHA256

6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b
SHA512

ae0e1112b1d5c56b3a7e614dfc00691e2603922c224c63441c39043315e1c30988da522a9bb16f525afa1db40c37b6ec4785557dd75b47f647748c692a790292
SSDEEP

24576:2yTJO4XZZhqX7KMTD5vgT9yOZak8x4RuNxZ/Un6RDPDZo:FnTh8X5vM5sVx4u9sYL

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	dE7Jw95.exe
2648	1Za02GU3.exe

Loads dropped DLL 9 IoCs

pid	Process
1248	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe
3012	dE7Jw95.exe
3012	dE7Jw95.exe
3012	dE7Jw95.exe
2648	1Za02GU3.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dE7Jw95.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2808	2648	1Za02GU3.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1724	2648	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2808	AppLaunch.exe
2808	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 3012	1248	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe	28
PID 1248 wrote to memory of 3012	1248	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe	28
PID 1248 wrote to memory of 3012	1248	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe	28
PID 1248 wrote to memory of 3012	1248	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe	28
PID 1248 wrote to memory of 3012	1248	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe	28
PID 1248 wrote to memory of 3012	1248	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe	28
PID 1248 wrote to memory of 3012	1248	6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe	28
PID 3012 wrote to memory of 2648	3012	dE7Jw95.exe	29
PID 3012 wrote to memory of 2648	3012	dE7Jw95.exe	29
PID 3012 wrote to memory of 2648	3012	dE7Jw95.exe	29
PID 3012 wrote to memory of 2648	3012	dE7Jw95.exe	29
PID 3012 wrote to memory of 2648	3012	dE7Jw95.exe	29
PID 3012 wrote to memory of 2648	3012	dE7Jw95.exe	29
PID 3012 wrote to memory of 2648	3012	dE7Jw95.exe	29
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 2808	2648	1Za02GU3.exe	30
PID 2648 wrote to memory of 1724	2648	1Za02GU3.exe	31
PID 2648 wrote to memory of 1724	2648	1Za02GU3.exe	31
PID 2648 wrote to memory of 1724	2648	1Za02GU3.exe	31
PID 2648 wrote to memory of 1724	2648	1Za02GU3.exe	31
PID 2648 wrote to memory of 1724	2648	1Za02GU3.exe	31
PID 2648 wrote to memory of 1724	2648	1Za02GU3.exe	31
PID 2648 wrote to memory of 1724	2648	1Za02GU3.exe	31

C:\Users\Admin\AppData\Local\Temp\6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6dd62ca2236972e5abecf63e0e9b188905a128ef4ab1ca33c74ab1ce0a6e215b_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dE7Jw95.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dE7Jw95.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 284
      4⤵
      Loads dropped DLL
      Program crash
      PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dE7Jw95.exe

Filesize
725KB

MD5
c65c45014f568041a97d18abcc766bd4

SHA1
401ed5b1381a3cf6babf6a0fab270f07927b0ed7

SHA256
0c237e3f14a52b28fc2db1fbd969ac7ff0b89455b6e5adf75e8bae3aed39a330

SHA512
028ec50c5a3935be7f00ca1b236557733d994084d056b3488560df9feeb0213531078c5d32cb87b99b0a9af4b5b056df08c17a787a156be8fe0ee556cff35044

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dE7Jw95.exe

Filesize
725KB

MD5
c65c45014f568041a97d18abcc766bd4

SHA1
401ed5b1381a3cf6babf6a0fab270f07927b0ed7

SHA256
0c237e3f14a52b28fc2db1fbd969ac7ff0b89455b6e5adf75e8bae3aed39a330

SHA512
028ec50c5a3935be7f00ca1b236557733d994084d056b3488560df9feeb0213531078c5d32cb87b99b0a9af4b5b056df08c17a787a156be8fe0ee556cff35044

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dE7Jw95.exe

Filesize
725KB

MD5
c65c45014f568041a97d18abcc766bd4

SHA1
401ed5b1381a3cf6babf6a0fab270f07927b0ed7

SHA256
0c237e3f14a52b28fc2db1fbd969ac7ff0b89455b6e5adf75e8bae3aed39a330

SHA512
028ec50c5a3935be7f00ca1b236557733d994084d056b3488560df9feeb0213531078c5d32cb87b99b0a9af4b5b056df08c17a787a156be8fe0ee556cff35044

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dE7Jw95.exe

Filesize
725KB

MD5
c65c45014f568041a97d18abcc766bd4

SHA1
401ed5b1381a3cf6babf6a0fab270f07927b0ed7

SHA256
0c237e3f14a52b28fc2db1fbd969ac7ff0b89455b6e5adf75e8bae3aed39a330

SHA512
028ec50c5a3935be7f00ca1b236557733d994084d056b3488560df9feeb0213531078c5d32cb87b99b0a9af4b5b056df08c17a787a156be8fe0ee556cff35044

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Za02GU3.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
memory/2808-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-40-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-38-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/2808-39-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2808-41-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-43-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-47-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-45-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-51-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-49-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-55-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-53-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-57-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-61-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-59-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-63-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-67-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2808-65-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download