Analysis

  • max time kernel
    117s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2023 21:21

General

  • Target

    8300459bb086d9e9a43b4564d3156211.exe

  • Size

    1.2MB

  • MD5

    8300459bb086d9e9a43b4564d3156211

  • SHA1

    dd47169421ace3e07eaf895558499814731e753f

  • SHA256

    e994fe589112f65a701b933e9e1929820746834f2ed0611a5d37f7b8825bf415

  • SHA512

    27c7415ec4a9242b3c0b32eddcf66bb8d092815e30bfe31afa3d9533b7b83fcacac366043dc3e9f508548608178513533be0f132226640fb5dac849c24a320ae

  • SSDEEP

    24576:EyDFskSc+a4rUabqf/PQzEuueSNJNDk+DOBbgBpGZ0HUAicLHQsY:TDOc344Hwz7zSNNqbypc8UvcLHQs

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8300459bb086d9e9a43b4564d3156211.exe
    "C:\Users\Admin\AppData\Local\Temp\8300459bb086d9e9a43b4564d3156211.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OP3ms31.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OP3ms31.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2eD65.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2eD65.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vT0ff31.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vT0ff31.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tv08Hm9.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tv08Hm9.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2616
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1964
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 268
                7⤵
                • Program crash
                PID:1096
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 284
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OP3ms31.exe

    Filesize

    1.0MB

    MD5

    5a3091ee21c2eae73953f6187d152405

    SHA1

    17aab3ef328d8415c0bd8fe1a92099e4faa7f3c4

    SHA256

    80a4a66d724976f4bf1d44d631f901bb4f76355d18be39135800e16f415ea8bc

    SHA512

    ac0d67adbad395e7b09f347719438167795b806a6264900044ede8a1a032a8f6e2ac22951c8c073dc24e863561286f633425ac21e62ded6707264bcb5290660e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OP3ms31.exe

    Filesize

    1.0MB

    MD5

    5a3091ee21c2eae73953f6187d152405

    SHA1

    17aab3ef328d8415c0bd8fe1a92099e4faa7f3c4

    SHA256

    80a4a66d724976f4bf1d44d631f901bb4f76355d18be39135800e16f415ea8bc

    SHA512

    ac0d67adbad395e7b09f347719438167795b806a6264900044ede8a1a032a8f6e2ac22951c8c073dc24e863561286f633425ac21e62ded6707264bcb5290660e

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2eD65.exe

    Filesize

    747KB

    MD5

    fdcf5b503e1d2752f37aa479d8922414

    SHA1

    c529e0fefa0c31fdaa2eeeeaafac6ff93ee60f2b

    SHA256

    3e0184cb0f456a88ae0913c305c0e86d23402d0dce19b9f68d326955d442e4dd

    SHA512

    00ab92c3cde7d424ecd4c5c386532b9b07937e71d826241e570b760338c503960215cd9b57d44aaec971dd12742b291e7f1ff30d801346f54b7cf3fd6f69ac8b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2eD65.exe

    Filesize

    747KB

    MD5

    fdcf5b503e1d2752f37aa479d8922414

    SHA1

    c529e0fefa0c31fdaa2eeeeaafac6ff93ee60f2b

    SHA256

    3e0184cb0f456a88ae0913c305c0e86d23402d0dce19b9f68d326955d442e4dd

    SHA512

    00ab92c3cde7d424ecd4c5c386532b9b07937e71d826241e570b760338c503960215cd9b57d44aaec971dd12742b291e7f1ff30d801346f54b7cf3fd6f69ac8b

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vT0ff31.exe

    Filesize

    494KB

    MD5

    0f3a62bda0a50cd225db51adc4a40368

    SHA1

    df2c0b4eae2c74454bc198eeb9b7c67d4decd6ff

    SHA256

    0bd0f9b899eabc002967514f78169fa8ed48b1b9bdd77fa196d22f9492011c52

    SHA512

    60e2c5b923b7cec5af99393adf321e5accdbbcbd880457d204835e4164284de3c74fbb3f2a2587dd7e40a780ec16c0993a161b48acbd30ba123730ea4825ba7d

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vT0ff31.exe

    Filesize

    494KB

    MD5

    0f3a62bda0a50cd225db51adc4a40368

    SHA1

    df2c0b4eae2c74454bc198eeb9b7c67d4decd6ff

    SHA256

    0bd0f9b899eabc002967514f78169fa8ed48b1b9bdd77fa196d22f9492011c52

    SHA512

    60e2c5b923b7cec5af99393adf321e5accdbbcbd880457d204835e4164284de3c74fbb3f2a2587dd7e40a780ec16c0993a161b48acbd30ba123730ea4825ba7d

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tv08Hm9.exe

    Filesize

    194KB

    MD5

    6241b03d68a610324ecda52f0f84e287

    SHA1

    da80280b6e3925e455925efd6c6e59a6118269c4

    SHA256

    ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

    SHA512

    a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tv08Hm9.exe

    Filesize

    194KB

    MD5

    6241b03d68a610324ecda52f0f84e287

    SHA1

    da80280b6e3925e455925efd6c6e59a6118269c4

    SHA256

    ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

    SHA512

    a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe

    Filesize

    448KB

    MD5

    f1432a4597fa0744d496cbe8ebd50fd5

    SHA1

    99e96566aaee582913978531396110bc171101e5

    SHA256

    85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f

    SHA512

    d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe

    Filesize

    448KB

    MD5

    f1432a4597fa0744d496cbe8ebd50fd5

    SHA1

    99e96566aaee582913978531396110bc171101e5

    SHA256

    85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f

    SHA512

    d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\OP3ms31.exe

    Filesize

    1.0MB

    MD5

    5a3091ee21c2eae73953f6187d152405

    SHA1

    17aab3ef328d8415c0bd8fe1a92099e4faa7f3c4

    SHA256

    80a4a66d724976f4bf1d44d631f901bb4f76355d18be39135800e16f415ea8bc

    SHA512

    ac0d67adbad395e7b09f347719438167795b806a6264900044ede8a1a032a8f6e2ac22951c8c073dc24e863561286f633425ac21e62ded6707264bcb5290660e

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\OP3ms31.exe

    Filesize

    1.0MB

    MD5

    5a3091ee21c2eae73953f6187d152405

    SHA1

    17aab3ef328d8415c0bd8fe1a92099e4faa7f3c4

    SHA256

    80a4a66d724976f4bf1d44d631f901bb4f76355d18be39135800e16f415ea8bc

    SHA512

    ac0d67adbad395e7b09f347719438167795b806a6264900044ede8a1a032a8f6e2ac22951c8c073dc24e863561286f633425ac21e62ded6707264bcb5290660e

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2eD65.exe

    Filesize

    747KB

    MD5

    fdcf5b503e1d2752f37aa479d8922414

    SHA1

    c529e0fefa0c31fdaa2eeeeaafac6ff93ee60f2b

    SHA256

    3e0184cb0f456a88ae0913c305c0e86d23402d0dce19b9f68d326955d442e4dd

    SHA512

    00ab92c3cde7d424ecd4c5c386532b9b07937e71d826241e570b760338c503960215cd9b57d44aaec971dd12742b291e7f1ff30d801346f54b7cf3fd6f69ac8b

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2eD65.exe

    Filesize

    747KB

    MD5

    fdcf5b503e1d2752f37aa479d8922414

    SHA1

    c529e0fefa0c31fdaa2eeeeaafac6ff93ee60f2b

    SHA256

    3e0184cb0f456a88ae0913c305c0e86d23402d0dce19b9f68d326955d442e4dd

    SHA512

    00ab92c3cde7d424ecd4c5c386532b9b07937e71d826241e570b760338c503960215cd9b57d44aaec971dd12742b291e7f1ff30d801346f54b7cf3fd6f69ac8b

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\vT0ff31.exe

    Filesize

    494KB

    MD5

    0f3a62bda0a50cd225db51adc4a40368

    SHA1

    df2c0b4eae2c74454bc198eeb9b7c67d4decd6ff

    SHA256

    0bd0f9b899eabc002967514f78169fa8ed48b1b9bdd77fa196d22f9492011c52

    SHA512

    60e2c5b923b7cec5af99393adf321e5accdbbcbd880457d204835e4164284de3c74fbb3f2a2587dd7e40a780ec16c0993a161b48acbd30ba123730ea4825ba7d

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\vT0ff31.exe

    Filesize

    494KB

    MD5

    0f3a62bda0a50cd225db51adc4a40368

    SHA1

    df2c0b4eae2c74454bc198eeb9b7c67d4decd6ff

    SHA256

    0bd0f9b899eabc002967514f78169fa8ed48b1b9bdd77fa196d22f9492011c52

    SHA512

    60e2c5b923b7cec5af99393adf321e5accdbbcbd880457d204835e4164284de3c74fbb3f2a2587dd7e40a780ec16c0993a161b48acbd30ba123730ea4825ba7d

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1tv08Hm9.exe

    Filesize

    194KB

    MD5

    6241b03d68a610324ecda52f0f84e287

    SHA1

    da80280b6e3925e455925efd6c6e59a6118269c4

    SHA256

    ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

    SHA512

    a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1tv08Hm9.exe

    Filesize

    194KB

    MD5

    6241b03d68a610324ecda52f0f84e287

    SHA1

    da80280b6e3925e455925efd6c6e59a6118269c4

    SHA256

    ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

    SHA512

    a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe

    Filesize

    448KB

    MD5

    f1432a4597fa0744d496cbe8ebd50fd5

    SHA1

    99e96566aaee582913978531396110bc171101e5

    SHA256

    85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f

    SHA512

    d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe

    Filesize

    448KB

    MD5

    f1432a4597fa0744d496cbe8ebd50fd5

    SHA1

    99e96566aaee582913978531396110bc171101e5

    SHA256

    85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f

    SHA512

    d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe

    Filesize

    448KB

    MD5

    f1432a4597fa0744d496cbe8ebd50fd5

    SHA1

    99e96566aaee582913978531396110bc171101e5

    SHA256

    85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f

    SHA512

    d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe

    Filesize

    448KB

    MD5

    f1432a4597fa0744d496cbe8ebd50fd5

    SHA1

    99e96566aaee582913978531396110bc171101e5

    SHA256

    85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f

    SHA512

    d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe

    Filesize

    448KB

    MD5

    f1432a4597fa0744d496cbe8ebd50fd5

    SHA1

    99e96566aaee582913978531396110bc171101e5

    SHA256

    85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f

    SHA512

    d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2ft9226.exe

    Filesize

    448KB

    MD5

    f1432a4597fa0744d496cbe8ebd50fd5

    SHA1

    99e96566aaee582913978531396110bc171101e5

    SHA256

    85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f

    SHA512

    d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

  • memory/1964-85-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1964-87-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1964-76-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1964-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/1964-83-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1964-80-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1964-81-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1964-78-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1964-79-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1964-77-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2616-53-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-49-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-40-0x0000000000AA0000-0x0000000000ABE000-memory.dmp

    Filesize

    120KB

  • memory/2616-51-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-57-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-42-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-43-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-45-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-47-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-41-0x00000000020C0000-0x00000000020DC000-memory.dmp

    Filesize

    112KB

  • memory/2616-69-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-55-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-59-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-61-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-63-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-65-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB

  • memory/2616-67-0x00000000020C0000-0x00000000020D6000-memory.dmp

    Filesize

    88KB