Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 14:39
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
1.4MB
-
MD5
af5deb947e3232e4ff52f8f0e696924e
-
SHA1
257f668a42ac1e58fcff2360c84d1417707985db
-
SHA256
1a0824a466dc05e4cf37bdd04072487942a7b7160a81c88abc26f593197854e3
-
SHA512
fd105b68ba2d96587001db79921c329eadb9b79572cd7740a91965eec20991b2d923d2632b6951cb539848c92db6542f1f24942f740779136ee20ace3283b145
-
SSDEEP
24576:zyiwGNLamtNC71Qxi//dYKyAyImP2e6+MJMsRCOxuRDR13DJQ/o:GgTtNM1eW/dYayIHe6+MBy1W
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe -
Executes dropped EXE 4 IoCs
pid Process 3020 pB9Zx89.exe 2280 Vb5iN99.exe 3044 zI7Oe61.exe 2720 1ca09pa1.exe -
Loads dropped DLL 12 IoCs
pid Process 2204 file.exe 3020 pB9Zx89.exe 3020 pB9Zx89.exe 2280 Vb5iN99.exe 2280 Vb5iN99.exe 3044 zI7Oe61.exe 3044 zI7Oe61.exe 2720 1ca09pa1.exe 2508 WerFault.exe 2508 WerFault.exe 2508 WerFault.exe 2508 WerFault.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pB9Zx89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Vb5iN99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" zI7Oe61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2720 set thread context of 2660 2720 1ca09pa1.exe 32 -
Program crash 1 IoCs
pid pid_target Process procid_target 2508 2720 WerFault.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2660 AppLaunch.exe 2660 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2660 AppLaunch.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2204 wrote to memory of 3020 2204 file.exe 28 PID 2204 wrote to memory of 3020 2204 file.exe 28 PID 2204 wrote to memory of 3020 2204 file.exe 28 PID 2204 wrote to memory of 3020 2204 file.exe 28 PID 2204 wrote to memory of 3020 2204 file.exe 28 PID 2204 wrote to memory of 3020 2204 file.exe 28 PID 2204 wrote to memory of 3020 2204 file.exe 28 PID 3020 wrote to memory of 2280 3020 pB9Zx89.exe 29 PID 3020 wrote to memory of 2280 3020 pB9Zx89.exe 29 PID 3020 wrote to memory of 2280 3020 pB9Zx89.exe 29 PID 3020 wrote to memory of 2280 3020 pB9Zx89.exe 29 PID 3020 wrote to memory of 2280 3020 pB9Zx89.exe 29 PID 3020 wrote to memory of 2280 3020 pB9Zx89.exe 29 PID 3020 wrote to memory of 2280 3020 pB9Zx89.exe 29 PID 2280 wrote to memory of 3044 2280 Vb5iN99.exe 30 PID 2280 wrote to memory of 3044 2280 Vb5iN99.exe 30 PID 2280 wrote to memory of 3044 2280 Vb5iN99.exe 30 PID 2280 wrote to memory of 3044 2280 Vb5iN99.exe 30 PID 2280 wrote to memory of 3044 2280 Vb5iN99.exe 30 PID 2280 wrote to memory of 3044 2280 Vb5iN99.exe 30 PID 2280 wrote to memory of 3044 2280 Vb5iN99.exe 30 PID 3044 wrote to memory of 2720 3044 zI7Oe61.exe 31 PID 3044 wrote to memory of 2720 3044 zI7Oe61.exe 31 PID 3044 wrote to memory of 2720 3044 zI7Oe61.exe 31 PID 3044 wrote to memory of 2720 3044 zI7Oe61.exe 31 PID 3044 wrote to memory of 2720 3044 zI7Oe61.exe 31 PID 3044 wrote to memory of 2720 3044 zI7Oe61.exe 31 PID 3044 wrote to memory of 2720 3044 zI7Oe61.exe 31 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2660 2720 1ca09pa1.exe 32 PID 2720 wrote to memory of 2508 2720 1ca09pa1.exe 33 PID 2720 wrote to memory of 2508 2720 1ca09pa1.exe 33 PID 2720 wrote to memory of 2508 2720 1ca09pa1.exe 33 PID 2720 wrote to memory of 2508 2720 1ca09pa1.exe 33 PID 2720 wrote to memory of 2508 2720 1ca09pa1.exe 33 PID 2720 wrote to memory of 2508 2720 1ca09pa1.exe 33 PID 2720 wrote to memory of 2508 2720 1ca09pa1.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB9Zx89.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vb5iN99.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zI7Oe61.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ca09pa1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 2726⤵
- Loads dropped DLL
- Program crash
PID:2508
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD538cd41a598692b23d66f8c0f64cc06ee
SHA1ffc771b0fc265351137ed5efe18ecf624a1c4961
SHA256d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15
SHA512097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a
-
Filesize
1.3MB
MD538cd41a598692b23d66f8c0f64cc06ee
SHA1ffc771b0fc265351137ed5efe18ecf624a1c4961
SHA256d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15
SHA512097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a
-
Filesize
894KB
MD55f37239d82fa00bab08d877604de6233
SHA15b4a0df32e1bfc1bd16758a7a3661d18506213c6
SHA256fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9
SHA512d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5
-
Filesize
894KB
MD55f37239d82fa00bab08d877604de6233
SHA15b4a0df32e1bfc1bd16758a7a3661d18506213c6
SHA256fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9
SHA512d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5
-
Filesize
533KB
MD5744ec0b6b09691ec528dc493ec4f11e3
SHA1ae7d507d9b82a6df6abd7a3569c929785a0daa83
SHA256258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65
SHA512bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f
-
Filesize
533KB
MD5744ec0b6b09691ec528dc493ec4f11e3
SHA1ae7d507d9b82a6df6abd7a3569c929785a0daa83
SHA256258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65
SHA512bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
1.3MB
MD538cd41a598692b23d66f8c0f64cc06ee
SHA1ffc771b0fc265351137ed5efe18ecf624a1c4961
SHA256d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15
SHA512097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a
-
Filesize
1.3MB
MD538cd41a598692b23d66f8c0f64cc06ee
SHA1ffc771b0fc265351137ed5efe18ecf624a1c4961
SHA256d5e6b08331779c9325b8224be3315c79d56b43aaab36fffa494f6253b4098d15
SHA512097d21401f059b17d1d2b385fede3c46db876f115136a70d2fbdce141374eec9406aacfc93d7a15096ee463da84d0f85181882c09089075093b5a24d9b15756a
-
Filesize
894KB
MD55f37239d82fa00bab08d877604de6233
SHA15b4a0df32e1bfc1bd16758a7a3661d18506213c6
SHA256fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9
SHA512d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5
-
Filesize
894KB
MD55f37239d82fa00bab08d877604de6233
SHA15b4a0df32e1bfc1bd16758a7a3661d18506213c6
SHA256fd6ef9a170635abed5389e9c2f029a6bd03c4a0676224a2d45984f7ded3ca9d9
SHA512d0cd47fc434dcff65fc55a4849d9fbc2485f3a8a99790b9f0fd55c2d0c2d605258e99714c9ff855e8158e125b978e4f40298de14597d6a751085d19b1e80acb5
-
Filesize
533KB
MD5744ec0b6b09691ec528dc493ec4f11e3
SHA1ae7d507d9b82a6df6abd7a3569c929785a0daa83
SHA256258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65
SHA512bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f
-
Filesize
533KB
MD5744ec0b6b09691ec528dc493ec4f11e3
SHA1ae7d507d9b82a6df6abd7a3569c929785a0daa83
SHA256258d72a518f22af13623c8023686c5f96817fb854c71b9f0f5bfa5c9da715d65
SHA512bcef2e0e9a3ee710f90414c00388e30e8c20b13892ee119b7adc397a235824d6e2360965f567e6c40964b01d4e915546ef2ae7814128c7402c5ac1e8a2e4996f
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81