857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe
Size

1.2MB
MD5

151245d70cdadc1b70546c09c304c98b
SHA1

06a4d9d4731a9fac56bd651fabda0725c1881b49
SHA256

857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384
SHA512

666d123be28443c923056cf8ccd9a1c6c17b20a7af0a662957252b10fa843cdbdfc17a862ab2119cee066563c11ef05a7d8c674244b692ff9feff989bebfff39
SSDEEP

24576:qyATbmWjFAfgaCf9Pw+BBM2bRZyBW55joxFeQHridhliLyWI:xAHmWj6ga69/lRZyimHQ

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Executes dropped EXE 2 IoCs

pid	Process
2244	oh6xz47.exe
2652	1Ux05Bo7.exe

Loads dropped DLL 9 IoCs

pid	Process
924	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe
2244	oh6xz47.exe
2244	oh6xz47.exe
2244	oh6xz47.exe
2652	1Ux05Bo7.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oh6xz47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 2600	2652	1Ux05Bo7.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	2652	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	AppLaunch.exe
2600	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2244	924	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe	28
PID 924 wrote to memory of 2244	924	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe	28
PID 924 wrote to memory of 2244	924	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe	28
PID 924 wrote to memory of 2244	924	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe	28
PID 924 wrote to memory of 2244	924	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe	28
PID 924 wrote to memory of 2244	924	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe	28
PID 924 wrote to memory of 2244	924	857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe	28
PID 2244 wrote to memory of 2652	2244	oh6xz47.exe	29
PID 2244 wrote to memory of 2652	2244	oh6xz47.exe	29
PID 2244 wrote to memory of 2652	2244	oh6xz47.exe	29
PID 2244 wrote to memory of 2652	2244	oh6xz47.exe	29
PID 2244 wrote to memory of 2652	2244	oh6xz47.exe	29
PID 2244 wrote to memory of 2652	2244	oh6xz47.exe	29
PID 2244 wrote to memory of 2652	2244	oh6xz47.exe	29
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2600	2652	1Ux05Bo7.exe	30
PID 2652 wrote to memory of 2660	2652	1Ux05Bo7.exe	31
PID 2652 wrote to memory of 2660	2652	1Ux05Bo7.exe	31
PID 2652 wrote to memory of 2660	2652	1Ux05Bo7.exe	31
PID 2652 wrote to memory of 2660	2652	1Ux05Bo7.exe	31
PID 2652 wrote to memory of 2660	2652	1Ux05Bo7.exe	31
PID 2652 wrote to memory of 2660	2652	1Ux05Bo7.exe	31
PID 2652 wrote to memory of 2660	2652	1Ux05Bo7.exe	31

C:\Users\Admin\AppData\Local\Temp\857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe
"C:\Users\Admin\AppData\Local\Temp\857589ab2c65e000fe946bcee75a084ff5fd6785867b29d57f27bfd3576b9384_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oh6xz47.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oh6xz47.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 284
      4⤵
      Loads dropped DLL
      Program crash
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oh6xz47.exe

Filesize
736KB

MD5
df458dabe43ab9e78475104ee7681fc8

SHA1
9fa367dc38d6f290d64e1ccff6479b66dc290ef1

SHA256
0930227407d50496d8b167173b429afa8ef8ae6156e908ea91d1963f142f3830

SHA512
8e5a9609f7069dae5128340753fc146d1f3967cb856be63e1c077defd73b76b1638032006c3b36cc660fc8e46a125d22ecf0f6f51c24718e811179fc685e0e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oh6xz47.exe

Filesize
736KB

MD5
df458dabe43ab9e78475104ee7681fc8

SHA1
9fa367dc38d6f290d64e1ccff6479b66dc290ef1

SHA256
0930227407d50496d8b167173b429afa8ef8ae6156e908ea91d1963f142f3830

SHA512
8e5a9609f7069dae5128340753fc146d1f3967cb856be63e1c077defd73b76b1638032006c3b36cc660fc8e46a125d22ecf0f6f51c24718e811179fc685e0e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\oh6xz47.exe

Filesize
736KB

MD5
df458dabe43ab9e78475104ee7681fc8

SHA1
9fa367dc38d6f290d64e1ccff6479b66dc290ef1

SHA256
0930227407d50496d8b167173b429afa8ef8ae6156e908ea91d1963f142f3830

SHA512
8e5a9609f7069dae5128340753fc146d1f3967cb856be63e1c077defd73b76b1638032006c3b36cc660fc8e46a125d22ecf0f6f51c24718e811179fc685e0e27

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\oh6xz47.exe

Filesize
736KB

MD5
df458dabe43ab9e78475104ee7681fc8

SHA1
9fa367dc38d6f290d64e1ccff6479b66dc290ef1

SHA256
0930227407d50496d8b167173b429afa8ef8ae6156e908ea91d1963f142f3830

SHA512
8e5a9609f7069dae5128340753fc146d1f3967cb856be63e1c077defd73b76b1638032006c3b36cc660fc8e46a125d22ecf0f6f51c24718e811179fc685e0e27

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ux05Bo7.exe

Filesize
1.8MB

MD5
b7ecc2c47c894a629fa35d794c96eaea

SHA1
bccc37942fe5f9cdc11939bdea99b9dd4702276f

SHA256
fc8e0c0a47f6520fc8bf0ca53321f0dc87b3b7613f9b9a48a43d684ed63b55a7

SHA512
46e6303687cbe29021bb7d4bf0d4c85bffa7bc45ff21fa62fa1e90291064e55f0f8055171f8befa2ff8658a3b2fc78aacd56239a4373654373a8dfcd90a50c23

Download Submit
memory/2600-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-63-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-38-0x00000000007B0000-0x00000000007CE000-memory.dmp

Filesize
120KB

Download
memory/2600-39-0x00000000007E0000-0x00000000007FC000-memory.dmp

Filesize
112KB

Download
memory/2600-45-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-55-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-67-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-65-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-61-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-59-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-57-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-53-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-51-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-49-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-47-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-43-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-41-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2600-40-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download