Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
19/10/2023, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
07d9513c0d5a6193a06e26992041e1f9.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
07d9513c0d5a6193a06e26992041e1f9.exe
Resource
win10v2004-20230915-en
General
-
Target
07d9513c0d5a6193a06e26992041e1f9.exe
-
Size
502KB
-
MD5
07d9513c0d5a6193a06e26992041e1f9
-
SHA1
fe0f667135c185ad62d6d57b38855c60ced98cca
-
SHA256
f7b1d14018860b1352161d763bb44d62ae2bf66c2f63987bdf208a117508bf3b
-
SHA512
2d3d2f1227c07a736a8779b222e7d1ab87dd89fec5d1352309653bb4df7c4bbe04c682d83cac02337fb4f4ad8b49536895cb0a29c9e2e1a0d996403df06fd3a6
-
SSDEEP
6144:KLy+bnr+np0yN90QEqm8FP7d1L6kHaE22CaqOk+GwabT/oXqWWPHrIyr9wwHKs:pMrny90sx17d1LCErCaqDoQDX8yLKs
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
Executes dropped EXE 2 IoCs
pid Process 2020 iC4Qt00.exe 3000 1YI02Tr0.exe -
Loads dropped DLL 9 IoCs
pid Process 1756 07d9513c0d5a6193a06e26992041e1f9.exe 2020 iC4Qt00.exe 2020 iC4Qt00.exe 2020 iC4Qt00.exe 3000 1YI02Tr0.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 07d9513c0d5a6193a06e26992041e1f9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" iC4Qt00.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3000 set thread context of 2736 3000 1YI02Tr0.exe 31 -
Program crash 1 IoCs
pid pid_target Process procid_target 2440 3000 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2736 AppLaunch.exe 2736 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2736 AppLaunch.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2020 1756 07d9513c0d5a6193a06e26992041e1f9.exe 28 PID 1756 wrote to memory of 2020 1756 07d9513c0d5a6193a06e26992041e1f9.exe 28 PID 1756 wrote to memory of 2020 1756 07d9513c0d5a6193a06e26992041e1f9.exe 28 PID 1756 wrote to memory of 2020 1756 07d9513c0d5a6193a06e26992041e1f9.exe 28 PID 1756 wrote to memory of 2020 1756 07d9513c0d5a6193a06e26992041e1f9.exe 28 PID 1756 wrote to memory of 2020 1756 07d9513c0d5a6193a06e26992041e1f9.exe 28 PID 1756 wrote to memory of 2020 1756 07d9513c0d5a6193a06e26992041e1f9.exe 28 PID 2020 wrote to memory of 3000 2020 iC4Qt00.exe 29 PID 2020 wrote to memory of 3000 2020 iC4Qt00.exe 29 PID 2020 wrote to memory of 3000 2020 iC4Qt00.exe 29 PID 2020 wrote to memory of 3000 2020 iC4Qt00.exe 29 PID 2020 wrote to memory of 3000 2020 iC4Qt00.exe 29 PID 2020 wrote to memory of 3000 2020 iC4Qt00.exe 29 PID 2020 wrote to memory of 3000 2020 iC4Qt00.exe 29 PID 3000 wrote to memory of 2684 3000 1YI02Tr0.exe 30 PID 3000 wrote to memory of 2684 3000 1YI02Tr0.exe 30 PID 3000 wrote to memory of 2684 3000 1YI02Tr0.exe 30 PID 3000 wrote to memory of 2684 3000 1YI02Tr0.exe 30 PID 3000 wrote to memory of 2684 3000 1YI02Tr0.exe 30 PID 3000 wrote to memory of 2684 3000 1YI02Tr0.exe 30 PID 3000 wrote to memory of 2684 3000 1YI02Tr0.exe 30 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2736 3000 1YI02Tr0.exe 31 PID 3000 wrote to memory of 2440 3000 1YI02Tr0.exe 32 PID 3000 wrote to memory of 2440 3000 1YI02Tr0.exe 32 PID 3000 wrote to memory of 2440 3000 1YI02Tr0.exe 32 PID 3000 wrote to memory of 2440 3000 1YI02Tr0.exe 32 PID 3000 wrote to memory of 2440 3000 1YI02Tr0.exe 32 PID 3000 wrote to memory of 2440 3000 1YI02Tr0.exe 32 PID 3000 wrote to memory of 2440 3000 1YI02Tr0.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe"C:\Users\Admin\AppData\Local\Temp\07d9513c0d5a6193a06e26992041e1f9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iC4Qt00.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YI02Tr0.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 2804⤵
- Loads dropped DLL
- Program crash
PID:2440
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
317KB
MD51227fce841a7bc05446eceec68e0ecb5
SHA1154acebc61b109c5c2af28852793de615967ae67
SHA2566e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2
SHA512e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954
-
Filesize
317KB
MD51227fce841a7bc05446eceec68e0ecb5
SHA1154acebc61b109c5c2af28852793de615967ae67
SHA2566e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2
SHA512e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
317KB
MD51227fce841a7bc05446eceec68e0ecb5
SHA1154acebc61b109c5c2af28852793de615967ae67
SHA2566e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2
SHA512e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954
-
Filesize
317KB
MD51227fce841a7bc05446eceec68e0ecb5
SHA1154acebc61b109c5c2af28852793de615967ae67
SHA2566e6c1bebb28a2c1036c785a16c779687963eca92e492346175458c006b341ae2
SHA512e91147cebfda9f709bffe57b01d0b2eda2f42f3a7964a0a9f8df5c4ada6614e6488d7e5dee9c309b36047b02a20e3a36a84a4d5473c4ed411c54a8db0843f954
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
Filesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c