Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
1.4MB
-
MD5
52004103058f5a84c12ce81799aa7f4b
-
SHA1
ab2f4b6a202e9d79695165147129f68cc52a38a6
-
SHA256
a1991359a4031e2dd5d238748184212ff2c7c8b51848dbdcd35b762787f1aae5
-
SHA512
916ff0113dfbc63dc881f77da3cf1ace8be65b4ad15976970df121f844c80bad0d7a87d763a144cfca15fbcb768458e7f321ddc690afba3f6874f33396a1094e
-
SSDEEP
24576:+yl2yZYl0YwPwAprTjvU7jECi2Ue7R623orbguop1aKu5UaWuXPcUzZk7pKyV58:Ncyi234ARTjqjZeCB3orQpcJ5UaWuNWz
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
Executes dropped EXE 4 IoCs
pid Process 2980 Fg5Zt21.exe 2912 MZ0ZK71.exe 3000 UD3nV39.exe 2612 1GE40Re8.exe -
Loads dropped DLL 12 IoCs
pid Process 2440 file.exe 2980 Fg5Zt21.exe 2980 Fg5Zt21.exe 2912 MZ0ZK71.exe 2912 MZ0ZK71.exe 3000 UD3nV39.exe 3000 UD3nV39.exe 2612 1GE40Re8.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Fg5Zt21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" MZ0ZK71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" UD3nV39.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2612 set thread context of 2680 2612 1GE40Re8.exe 32 -
Program crash 1 IoCs
pid pid_target Process procid_target 2628 2612 WerFault.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2680 AppLaunch.exe 2680 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 AppLaunch.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2980 2440 file.exe 28 PID 2440 wrote to memory of 2980 2440 file.exe 28 PID 2440 wrote to memory of 2980 2440 file.exe 28 PID 2440 wrote to memory of 2980 2440 file.exe 28 PID 2440 wrote to memory of 2980 2440 file.exe 28 PID 2440 wrote to memory of 2980 2440 file.exe 28 PID 2440 wrote to memory of 2980 2440 file.exe 28 PID 2980 wrote to memory of 2912 2980 Fg5Zt21.exe 29 PID 2980 wrote to memory of 2912 2980 Fg5Zt21.exe 29 PID 2980 wrote to memory of 2912 2980 Fg5Zt21.exe 29 PID 2980 wrote to memory of 2912 2980 Fg5Zt21.exe 29 PID 2980 wrote to memory of 2912 2980 Fg5Zt21.exe 29 PID 2980 wrote to memory of 2912 2980 Fg5Zt21.exe 29 PID 2980 wrote to memory of 2912 2980 Fg5Zt21.exe 29 PID 2912 wrote to memory of 3000 2912 MZ0ZK71.exe 30 PID 2912 wrote to memory of 3000 2912 MZ0ZK71.exe 30 PID 2912 wrote to memory of 3000 2912 MZ0ZK71.exe 30 PID 2912 wrote to memory of 3000 2912 MZ0ZK71.exe 30 PID 2912 wrote to memory of 3000 2912 MZ0ZK71.exe 30 PID 2912 wrote to memory of 3000 2912 MZ0ZK71.exe 30 PID 2912 wrote to memory of 3000 2912 MZ0ZK71.exe 30 PID 3000 wrote to memory of 2612 3000 UD3nV39.exe 31 PID 3000 wrote to memory of 2612 3000 UD3nV39.exe 31 PID 3000 wrote to memory of 2612 3000 UD3nV39.exe 31 PID 3000 wrote to memory of 2612 3000 UD3nV39.exe 31 PID 3000 wrote to memory of 2612 3000 UD3nV39.exe 31 PID 3000 wrote to memory of 2612 3000 UD3nV39.exe 31 PID 3000 wrote to memory of 2612 3000 UD3nV39.exe 31 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2680 2612 1GE40Re8.exe 32 PID 2612 wrote to memory of 2628 2612 1GE40Re8.exe 33 PID 2612 wrote to memory of 2628 2612 1GE40Re8.exe 33 PID 2612 wrote to memory of 2628 2612 1GE40Re8.exe 33 PID 2612 wrote to memory of 2628 2612 1GE40Re8.exe 33 PID 2612 wrote to memory of 2628 2612 1GE40Re8.exe 33 PID 2612 wrote to memory of 2628 2612 1GE40Re8.exe 33 PID 2612 wrote to memory of 2628 2612 1GE40Re8.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fg5Zt21.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MZ0ZK71.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UD3nV39.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GE40Re8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 2726⤵
- Loads dropped DLL
- Program crash
PID:2628
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD50c572fbe41cbb0572c8800f24702de24
SHA178fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA5125efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb
-
Filesize
1.3MB
MD50c572fbe41cbb0572c8800f24702de24
SHA178fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA5125efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb
-
Filesize
894KB
MD59f326be1d6b50927040011f3a65a0ef6
SHA1439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA25657f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA51293f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5
-
Filesize
894KB
MD59f326be1d6b50927040011f3a65a0ef6
SHA1439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA25657f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA51293f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5
-
Filesize
533KB
MD52a2c3dcda47bdfbeed60f4d14c72bc38
SHA15648dc8b940ba0f0f732c507a169425c8f7783fe
SHA25622eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA5120a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5
-
Filesize
533KB
MD52a2c3dcda47bdfbeed60f4d14c72bc38
SHA15648dc8b940ba0f0f732c507a169425c8f7783fe
SHA25622eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA5120a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
1.3MB
MD50c572fbe41cbb0572c8800f24702de24
SHA178fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA5125efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb
-
Filesize
1.3MB
MD50c572fbe41cbb0572c8800f24702de24
SHA178fac8edfc9a499008ecaa4f51b6d60b5191e94f
SHA256fcf4aee311b6f712944f458a837ee03432a3af14ee5b5455be1198e79d492e32
SHA5125efeb423d25ae756feeed9452d6bf847c66ad11a21b8e982413b428d0b8d9c8a7242935f4b0d3f3bf41d18520e9c0ac2a156cf9a3162a8507d1812e1247979eb
-
Filesize
894KB
MD59f326be1d6b50927040011f3a65a0ef6
SHA1439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA25657f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA51293f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5
-
Filesize
894KB
MD59f326be1d6b50927040011f3a65a0ef6
SHA1439a6acdf37c927bbc92e3e41726ff1ca4a3e684
SHA25657f82be8d0fe1612eba4d311de88737ecfbaa80035ff379c7646aecd206ad333
SHA51293f91b64b4e9219b781a4c2a78e78320527d9c07fc5fa0e028fb3acb18329dde266bcb3fe5a900ed93b4c60dfb8370d4631571416a0ec22066c986ed65068cb5
-
Filesize
533KB
MD52a2c3dcda47bdfbeed60f4d14c72bc38
SHA15648dc8b940ba0f0f732c507a169425c8f7783fe
SHA25622eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA5120a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5
-
Filesize
533KB
MD52a2c3dcda47bdfbeed60f4d14c72bc38
SHA15648dc8b940ba0f0f732c507a169425c8f7783fe
SHA25622eeb771a82eef51a841bf88a6a3056b6c50e2ff9c7e8b8080605ae6d4f338b9
SHA5120a35ba79972efe70d605419990b998ef5401608d1791428666614aa8e1ad3c53156172815743a88ddf59cb63d531ce4624c7a4d502049bf92f0d0bbc20aad2d5
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81