bcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952ae

Analysis

max time kernel
120s
max time network
141s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe
Size

617KB
MD5

a61a40b19b4b6b8f1645f1680869476a
SHA1

d12f29ad9db929a39629ea7548fff0cbab57c9f0
SHA256

bcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952ae
SHA512

1afa2d77d07bc4c3989385b3c8e1c599d39ad6f682c3957c9dada2bc7b994bb237ca1ac3a7d60860a9b2cdb14f595e1c1f12c1daa26562bcab4aba89c7e41a45
SSDEEP

12288:bMrjy90wv8deqSx6et8MsCIjeGfOV3TXraLKdm:EyTkdPSxAMtTjKEm

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 3 IoCs

pid	Process
2836	AK1ZT07.exe
2652	aP3wd33.exe
2720	1PV37OX5.exe

Loads dropped DLL 11 IoCs

pid	Process
2456	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe
2836	AK1ZT07.exe
2836	AK1ZT07.exe
2652	aP3wd33.exe
2652	aP3wd33.exe
2652	aP3wd33.exe
2720	1PV37OX5.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AK1ZT07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	aP3wd33.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2532	2720	1PV37OX5.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2560	2720	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2532	AppLaunch.exe
2532	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	AppLaunch.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2836	2456	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe	28
PID 2456 wrote to memory of 2836	2456	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe	28
PID 2456 wrote to memory of 2836	2456	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe	28
PID 2456 wrote to memory of 2836	2456	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe	28
PID 2456 wrote to memory of 2836	2456	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe	28
PID 2456 wrote to memory of 2836	2456	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe	28
PID 2456 wrote to memory of 2836	2456	NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe	28
PID 2836 wrote to memory of 2652	2836	AK1ZT07.exe	29
PID 2836 wrote to memory of 2652	2836	AK1ZT07.exe	29
PID 2836 wrote to memory of 2652	2836	AK1ZT07.exe	29
PID 2836 wrote to memory of 2652	2836	AK1ZT07.exe	29
PID 2836 wrote to memory of 2652	2836	AK1ZT07.exe	29
PID 2836 wrote to memory of 2652	2836	AK1ZT07.exe	29
PID 2836 wrote to memory of 2652	2836	AK1ZT07.exe	29
PID 2652 wrote to memory of 2720	2652	aP3wd33.exe	30
PID 2652 wrote to memory of 2720	2652	aP3wd33.exe	30
PID 2652 wrote to memory of 2720	2652	aP3wd33.exe	30
PID 2652 wrote to memory of 2720	2652	aP3wd33.exe	30
PID 2652 wrote to memory of 2720	2652	aP3wd33.exe	30
PID 2652 wrote to memory of 2720	2652	aP3wd33.exe	30
PID 2652 wrote to memory of 2720	2652	aP3wd33.exe	30
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2532	2720	1PV37OX5.exe	31
PID 2720 wrote to memory of 2560	2720	1PV37OX5.exe	32
PID 2720 wrote to memory of 2560	2720	1PV37OX5.exe	32
PID 2720 wrote to memory of 2560	2720	1PV37OX5.exe	32
PID 2720 wrote to memory of 2560	2720	1PV37OX5.exe	32
PID 2720 wrote to memory of 2560	2720	1PV37OX5.exe	32
PID 2720 wrote to memory of 2560	2720	1PV37OX5.exe	32
PID 2720 wrote to memory of 2560	2720	1PV37OX5.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASbcafa65151d00c76ec27227dfbbe8ceaec1b39da0ac85e418b2260c3ecb952aeexeexe_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK1ZT07.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK1ZT07.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aP3wd33.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aP3wd33.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 272
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK1ZT07.exe

Filesize
478KB

MD5
2dadc074257c40323d67dea4315f7e1d

SHA1
14008370d8fe892abdd63511c32e908a3c3f2e21

SHA256
2a6e3f08fb38803562189d1161e5c619cb85cd8abc60c3339a380127ef5e1dfd

SHA512
34c2cfc1849401289d8c1ee1da7b17311577011cf22ddf2093f32f218db098d267f96e8b74c48baa8f5ba1d451ae6a1730e4a10ef72250aabffc7d6f98838a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK1ZT07.exe

Filesize
478KB

MD5
2dadc074257c40323d67dea4315f7e1d

SHA1
14008370d8fe892abdd63511c32e908a3c3f2e21

SHA256
2a6e3f08fb38803562189d1161e5c619cb85cd8abc60c3339a380127ef5e1dfd

SHA512
34c2cfc1849401289d8c1ee1da7b17311577011cf22ddf2093f32f218db098d267f96e8b74c48baa8f5ba1d451ae6a1730e4a10ef72250aabffc7d6f98838a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aP3wd33.exe

Filesize
243KB

MD5
945ac5fd5cc97807c3704d271b588a49

SHA1
1d345e129a1329215580cff0904f316fab98da0b

SHA256
4e86facc90789a964a007c1c8e0edf8e6078aaf6174efbe75d0c34c2c011f279

SHA512
887fb26f931bf1b7a276d3a3703a9ccb0800b892f94cb7fdc96cf7243fd2a9ef407c8a22df6f1520d6f8f05d0b40d04d997d24abfc289a408212337e40703f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aP3wd33.exe

Filesize
243KB

MD5
945ac5fd5cc97807c3704d271b588a49

SHA1
1d345e129a1329215580cff0904f316fab98da0b

SHA256
4e86facc90789a964a007c1c8e0edf8e6078aaf6174efbe75d0c34c2c011f279

SHA512
887fb26f931bf1b7a276d3a3703a9ccb0800b892f94cb7fdc96cf7243fd2a9ef407c8a22df6f1520d6f8f05d0b40d04d997d24abfc289a408212337e40703f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK1ZT07.exe

Filesize
478KB

MD5
2dadc074257c40323d67dea4315f7e1d

SHA1
14008370d8fe892abdd63511c32e908a3c3f2e21

SHA256
2a6e3f08fb38803562189d1161e5c619cb85cd8abc60c3339a380127ef5e1dfd

SHA512
34c2cfc1849401289d8c1ee1da7b17311577011cf22ddf2093f32f218db098d267f96e8b74c48baa8f5ba1d451ae6a1730e4a10ef72250aabffc7d6f98838a3c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\AK1ZT07.exe

Filesize
478KB

MD5
2dadc074257c40323d67dea4315f7e1d

SHA1
14008370d8fe892abdd63511c32e908a3c3f2e21

SHA256
2a6e3f08fb38803562189d1161e5c619cb85cd8abc60c3339a380127ef5e1dfd

SHA512
34c2cfc1849401289d8c1ee1da7b17311577011cf22ddf2093f32f218db098d267f96e8b74c48baa8f5ba1d451ae6a1730e4a10ef72250aabffc7d6f98838a3c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\aP3wd33.exe

Filesize
243KB

MD5
945ac5fd5cc97807c3704d271b588a49

SHA1
1d345e129a1329215580cff0904f316fab98da0b

SHA256
4e86facc90789a964a007c1c8e0edf8e6078aaf6174efbe75d0c34c2c011f279

SHA512
887fb26f931bf1b7a276d3a3703a9ccb0800b892f94cb7fdc96cf7243fd2a9ef407c8a22df6f1520d6f8f05d0b40d04d997d24abfc289a408212337e40703f71

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\aP3wd33.exe

Filesize
243KB

MD5
945ac5fd5cc97807c3704d271b588a49

SHA1
1d345e129a1329215580cff0904f316fab98da0b

SHA256
4e86facc90789a964a007c1c8e0edf8e6078aaf6174efbe75d0c34c2c011f279

SHA512
887fb26f931bf1b7a276d3a3703a9ccb0800b892f94cb7fdc96cf7243fd2a9ef407c8a22df6f1520d6f8f05d0b40d04d997d24abfc289a408212337e40703f71

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1PV37OX5.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
memory/2532-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2532-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2532-37-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-36-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2532-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2532-38-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2532-40-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2532-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download