a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8

General

Target

a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8.exe
Size

877KB
MD5

c297d06a1d6cbfbe41b718d0676d91fe
SHA1

5d50c91cffdc719c432aec7b87ad874e89b2b9c8
SHA256

a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8
SHA512

cd8b10cd106330fb18fb4b28878517b7fea4cd204b95564891257d6f111746d5180e490bfcfc17a7d0829f4da3293c93b0a6f6fa86016336cde3e85adaa5757f
SSDEEP

24576:gyL+oJJOjWHNL953OutkOBikFVY1ysxPi:nNJOWtRJFVYc6P

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
4524	ma4Yl96.exe
4872	ZC5Bb67.exe
4668	Wk0MB70.exe
4652	1Fx50zl3.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Wk0MB70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ma4Yl96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZC5Bb67.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4652 set thread context of 4628	4652	1Fx50zl3.exe	73

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1328	4652	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4628	AppLaunch.exe
4628	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4524	4772	a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8.exe	69
PID 4772 wrote to memory of 4524	4772	a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8.exe	69
PID 4772 wrote to memory of 4524	4772	a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8.exe	69
PID 4524 wrote to memory of 4872	4524	ma4Yl96.exe	70
PID 4524 wrote to memory of 4872	4524	ma4Yl96.exe	70
PID 4524 wrote to memory of 4872	4524	ma4Yl96.exe	70
PID 4872 wrote to memory of 4668	4872	ZC5Bb67.exe	71
PID 4872 wrote to memory of 4668	4872	ZC5Bb67.exe	71
PID 4872 wrote to memory of 4668	4872	ZC5Bb67.exe	71
PID 4668 wrote to memory of 4652	4668	Wk0MB70.exe	72
PID 4668 wrote to memory of 4652	4668	Wk0MB70.exe	72
PID 4668 wrote to memory of 4652	4668	Wk0MB70.exe	72
PID 4652 wrote to memory of 4628	4652	1Fx50zl3.exe	73
PID 4652 wrote to memory of 4628	4652	1Fx50zl3.exe	73
PID 4652 wrote to memory of 4628	4652	1Fx50zl3.exe	73
PID 4652 wrote to memory of 4628	4652	1Fx50zl3.exe	73
PID 4652 wrote to memory of 4628	4652	1Fx50zl3.exe	73
PID 4652 wrote to memory of 4628	4652	1Fx50zl3.exe	73
PID 4652 wrote to memory of 4628	4652	1Fx50zl3.exe	73
PID 4652 wrote to memory of 4628	4652	1Fx50zl3.exe	73

C:\Users\Admin\AppData\Local\Temp\a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8.exe
"C:\Users\Admin\AppData\Local\Temp\a8a21698423ebb339e1051e787f43cdfb4c9f1a0586a8d032145afedbe3eece8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ma4Yl96.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ma4Yl96.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5Bb67.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5Bb67.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wk0MB70.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wk0MB70.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Fx50zl3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Fx50zl3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 580
        6⤵
        Program crash
        
        PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ma4Yl96.exe

Filesize
738KB

MD5
cc63837a224a9a61ff76eef6a68b85a6

SHA1
3ded0910072df675c2ebca022a41118c0b8b0cd1

SHA256
f2f2335f36135622b5f3168ccd2d3e25202d5ba407a426259aea8e941ab1d014

SHA512
16d9a6d59cfc85bcbae670c8ffd88366fef80cf31abfb60de99556117057b20c1ba0956400714df30893968f5d4dc5fa2818f79cdf7d99bab542133f887d22fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ma4Yl96.exe

Filesize
738KB

MD5
cc63837a224a9a61ff76eef6a68b85a6

SHA1
3ded0910072df675c2ebca022a41118c0b8b0cd1

SHA256
f2f2335f36135622b5f3168ccd2d3e25202d5ba407a426259aea8e941ab1d014

SHA512
16d9a6d59cfc85bcbae670c8ffd88366fef80cf31abfb60de99556117057b20c1ba0956400714df30893968f5d4dc5fa2818f79cdf7d99bab542133f887d22fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5Bb67.exe

Filesize
503KB

MD5
559fe0196234f7af2459157b64bc497d

SHA1
25fc596d30daf3e8b06573ab95e4a897f75df6b1

SHA256
8203f80decdf542f6e65bb844b62ceef3cb4c9b1423618f4e761e2f1f0e78436

SHA512
af5ff0ec65b9eec18f2522dcb89e38d8c5fe61ff9679f4e994beccb5b334e80533973f08866505ef04be64b185f621424b51e2b77fbe35310069d48bca1b9f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5Bb67.exe

Filesize
503KB

MD5
559fe0196234f7af2459157b64bc497d

SHA1
25fc596d30daf3e8b06573ab95e4a897f75df6b1

SHA256
8203f80decdf542f6e65bb844b62ceef3cb4c9b1423618f4e761e2f1f0e78436

SHA512
af5ff0ec65b9eec18f2522dcb89e38d8c5fe61ff9679f4e994beccb5b334e80533973f08866505ef04be64b185f621424b51e2b77fbe35310069d48bca1b9f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wk0MB70.exe

Filesize
317KB

MD5
ce6d2cc7bbf69f7833f3cd2de8bbfd4d

SHA1
78686eb0fa92d48ce1c9490274b555469ea27505

SHA256
4945fa7ce0d0c162b990d9c9e867a050230b3c2d46dcbdd7887414c0e07892ed

SHA512
45b294ad97bf2f6a4222293e994c2dba6792d54f39dee4c5c3506c5f17f63a78c9b507106a9455752583870c4d6d32a77e98dd1a8d2f8635fbfd2c5edf82430e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wk0MB70.exe

Filesize
317KB

MD5
ce6d2cc7bbf69f7833f3cd2de8bbfd4d

SHA1
78686eb0fa92d48ce1c9490274b555469ea27505

SHA256
4945fa7ce0d0c162b990d9c9e867a050230b3c2d46dcbdd7887414c0e07892ed

SHA512
45b294ad97bf2f6a4222293e994c2dba6792d54f39dee4c5c3506c5f17f63a78c9b507106a9455752583870c4d6d32a77e98dd1a8d2f8635fbfd2c5edf82430e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Fx50zl3.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Fx50zl3.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
memory/4628-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4628-31-0x0000000073890000-0x0000000073F7E000-memory.dmp

Filesize
6.9MB

Download
memory/4628-32-0x0000000073890000-0x0000000073F7E000-memory.dmp

Filesize
6.9MB

Download
memory/4628-55-0x0000000073890000-0x0000000073F7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads