f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b

General

Target

f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b.exe
Size

1.5MB
MD5

0745325fb0107d63cf21e4e546299cd8
SHA1

65373fa3001c2efe8c6477e5bf137442af44b0d8
SHA256

f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b
SHA512

d39006c33520b4f8c1e611a3ac75ef0ab54bf7a2db85f79c218718ed9de0d5b77ccbed5d038df7f6351e57074688719629f90c55bbaf1f8bc3214fb054f0cb08
SSDEEP

24576:4yAjNMYlLkXfa5SXHvUZ7pDJiFEqSvgQd15eU/MWwvvcoquZwKevYRlH6gOva:/GJM5XHMRpV0vSPjGpcEZptTHOv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
524	bA1Rr85.exe
1376	nY1GC56.exe
2428	cN7nn69.exe
3912	1yf92Vy2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bA1Rr85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nY1GC56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cN7nn69.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3912 set thread context of 4964	3912	1yf92Vy2.exe	73

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3636	3912	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4964	AppLaunch.exe
4964	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 524	3364	f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b.exe	69
PID 3364 wrote to memory of 524	3364	f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b.exe	69
PID 3364 wrote to memory of 524	3364	f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b.exe	69
PID 524 wrote to memory of 1376	524	bA1Rr85.exe	70
PID 524 wrote to memory of 1376	524	bA1Rr85.exe	70
PID 524 wrote to memory of 1376	524	bA1Rr85.exe	70
PID 1376 wrote to memory of 2428	1376	nY1GC56.exe	71
PID 1376 wrote to memory of 2428	1376	nY1GC56.exe	71
PID 1376 wrote to memory of 2428	1376	nY1GC56.exe	71
PID 2428 wrote to memory of 3912	2428	cN7nn69.exe	72
PID 2428 wrote to memory of 3912	2428	cN7nn69.exe	72
PID 2428 wrote to memory of 3912	2428	cN7nn69.exe	72
PID 3912 wrote to memory of 4964	3912	1yf92Vy2.exe	73
PID 3912 wrote to memory of 4964	3912	1yf92Vy2.exe	73
PID 3912 wrote to memory of 4964	3912	1yf92Vy2.exe	73
PID 3912 wrote to memory of 4964	3912	1yf92Vy2.exe	73
PID 3912 wrote to memory of 4964	3912	1yf92Vy2.exe	73
PID 3912 wrote to memory of 4964	3912	1yf92Vy2.exe	73
PID 3912 wrote to memory of 4964	3912	1yf92Vy2.exe	73
PID 3912 wrote to memory of 4964	3912	1yf92Vy2.exe	73

C:\Users\Admin\AppData\Local\Temp\f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b.exe
"C:\Users\Admin\AppData\Local\Temp\f1c6d07f63a186f8062759611ba61bfe91a110beaf2f0eb95b4df7f4727cba3b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bA1Rr85.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bA1Rr85.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nY1GC56.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nY1GC56.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cN7nn69.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cN7nn69.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yf92Vy2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yf92Vy2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3912
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 552
        6⤵
        Program crash
        
        PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bA1Rr85.exe

Filesize
1.3MB

MD5
6a681b2ce8b897b1baddf4161c5bdc28

SHA1
b41db205c9c460cd18ca97c3bcc9bcbd5fd2fea4

SHA256
0de54472397c60929c5a129d6e7276442e92f53efe4b13340378d6292175ca9d

SHA512
ce5f9031d7ca9f5ece73bb9c869229d4eaec7b51db5ee9e29d437faa77bf8b06d6a9281567261a726ff28ab432fbb4a7f4e03968fa74350df1c4a7cbe87cd266

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bA1Rr85.exe

Filesize
1.3MB

MD5
6a681b2ce8b897b1baddf4161c5bdc28

SHA1
b41db205c9c460cd18ca97c3bcc9bcbd5fd2fea4

SHA256
0de54472397c60929c5a129d6e7276442e92f53efe4b13340378d6292175ca9d

SHA512
ce5f9031d7ca9f5ece73bb9c869229d4eaec7b51db5ee9e29d437faa77bf8b06d6a9281567261a726ff28ab432fbb4a7f4e03968fa74350df1c4a7cbe87cd266

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nY1GC56.exe

Filesize
931KB

MD5
a41ea019e3e998484053d4cfcab78cac

SHA1
b42177449a11bd06bffef4afabaccb982671e376

SHA256
11165efc7245567f2a41a91ae32b8032964890553656dc4460b188bf8a33a5fd

SHA512
d7b5f20651e8f0a6c4bb3b9969300e453058c8718f0480a5b32702b016a47beb831916ea4a8b60b92a1671b9ef358177dd9fcd175916115e1c9c1ac5effc0502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nY1GC56.exe

Filesize
931KB

MD5
a41ea019e3e998484053d4cfcab78cac

SHA1
b42177449a11bd06bffef4afabaccb982671e376

SHA256
11165efc7245567f2a41a91ae32b8032964890553656dc4460b188bf8a33a5fd

SHA512
d7b5f20651e8f0a6c4bb3b9969300e453058c8718f0480a5b32702b016a47beb831916ea4a8b60b92a1671b9ef358177dd9fcd175916115e1c9c1ac5effc0502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cN7nn69.exe

Filesize
548KB

MD5
8aa0b3ecedde3ea6f933029f41cbe56e

SHA1
b66dda70117b78adbde1e6794ebfe7fe0bfc8b66

SHA256
3f518e0f3aa5e39ec2d4c82fc1f42f3da9fbf5fa159f4e553c963cd15d1fbd18

SHA512
8a33e3789f2567207624a5087cbd76d6400b2e822a6a1bafc4ed651f5e2b6458beed31ad6f52bbd2fe3b349012169db45214e7c95f0cdde9d6bfd87d753df913

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cN7nn69.exe

Filesize
548KB

MD5
8aa0b3ecedde3ea6f933029f41cbe56e

SHA1
b66dda70117b78adbde1e6794ebfe7fe0bfc8b66

SHA256
3f518e0f3aa5e39ec2d4c82fc1f42f3da9fbf5fa159f4e553c963cd15d1fbd18

SHA512
8a33e3789f2567207624a5087cbd76d6400b2e822a6a1bafc4ed651f5e2b6458beed31ad6f52bbd2fe3b349012169db45214e7c95f0cdde9d6bfd87d753df913

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yf92Vy2.exe

Filesize
232KB

MD5
3ff825411b1fe07e712a5dcae34f80eb

SHA1
e3e4358cabfa74d6e36e26754b01ed78434a6877

SHA256
69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

SHA512
325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yf92Vy2.exe

Filesize
232KB

MD5
3ff825411b1fe07e712a5dcae34f80eb

SHA1
e3e4358cabfa74d6e36e26754b01ed78434a6877

SHA256
69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

SHA512
325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

Download Submit
memory/4964-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4964-31-0x0000000073320000-0x0000000073A0E000-memory.dmp

Filesize
6.9MB

Download
memory/4964-40-0x0000000073320000-0x0000000073A0E000-memory.dmp

Filesize
6.9MB

Download
memory/4964-55-0x0000000073320000-0x0000000073A0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads