128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584

Analysis

max time kernel
45s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 03:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584.exe
Size

1.4MB
MD5

ae6ae06dd77d1cb733601a0481ec3dda
SHA1

288fddd6745db83f899bafc0ce7239db4dc94391
SHA256

128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584
SHA512

ea71976902a1293f4ebd8c281338ee768039b1060f95cc4e6a7a4d7ab7e64cfef4453ad680a9aecc658febaa5915ba9d4f2b78f306b1fcce97c0c5e0e3b8fbf3
SSDEEP

24576:uyOjDvEF5PzUV5dhlaGZumJyLYtcisfOklQcGfwO1j+P7:9+DwAUuu6eYaisDOt+P

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1mH99Gd2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1mH99Gd2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1mH99Gd2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1mH99Gd2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1mH99Gd2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1mH99Gd2.exe

Executes dropped EXE 5 IoCs

pid	Process
1020	fL3zB27.exe
2480	DW9zn26.exe
2224	Io6QT14.exe
3496	if7Ti73.exe
1580	1mH99Gd2.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1mH99Gd2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	1mH99Gd2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fL3zB27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	DW9zn26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Io6QT14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	if7Ti73.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1580	1mH99Gd2.exe
1580	1mH99Gd2.exe
1580	1mH99Gd2.exe
1580	1mH99Gd2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1020	2128	128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584.exe	85
PID 2128 wrote to memory of 1020	2128	128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584.exe	85
PID 2128 wrote to memory of 1020	2128	128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584.exe	85
PID 1020 wrote to memory of 2480	1020	fL3zB27.exe	86
PID 1020 wrote to memory of 2480	1020	fL3zB27.exe	86
PID 1020 wrote to memory of 2480	1020	fL3zB27.exe	86
PID 2480 wrote to memory of 2224	2480	DW9zn26.exe	87
PID 2480 wrote to memory of 2224	2480	DW9zn26.exe	87
PID 2480 wrote to memory of 2224	2480	DW9zn26.exe	87
PID 2224 wrote to memory of 3496	2224	Io6QT14.exe	88
PID 2224 wrote to memory of 3496	2224	Io6QT14.exe	88
PID 2224 wrote to memory of 3496	2224	Io6QT14.exe	88
PID 3496 wrote to memory of 1580	3496	if7Ti73.exe	90
PID 3496 wrote to memory of 1580	3496	if7Ti73.exe	90
PID 2976 wrote to memory of 4772	2976	cmd.exe	94
PID 2976 wrote to memory of 4772	2976	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584.exe
"C:\Users\Admin\AppData\Local\Temp\128b32839aed998bf6f06bc1aa166d983e5086f4218470dd59d64460bd71d584.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL3zB27.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL3zB27.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DW9zn26.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DW9zn26.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Io6QT14.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Io6QT14.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\if7Ti73.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\if7Ti73.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mH99Gd2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mH99Gd2.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1697946699.txt"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\regini.exe
  regini "C:\Users\Admin\AppData\Roaming\random_1697946699.txt"
  2⤵
  PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL3zB27.exe

Filesize
1.3MB

MD5
1c894101620a84e4ec5c7520c34bfb25

SHA1
e6726096a8aa43fb10a37d2f19e06aeb9b8cac1a

SHA256
eb88fd57edde82c5207709d68f461da708905b9882582ac2e4eb59ed533e26e4

SHA512
d8a76f919b40126a3b427a7b55ac0f31b4aba5a9aa266147ca74886f1c031cde9108038ccc276ac0b0ccd895b6d7d01675952403da405a7c07c7ab3acb28a2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL3zB27.exe

Filesize
1.3MB

MD5
1c894101620a84e4ec5c7520c34bfb25

SHA1
e6726096a8aa43fb10a37d2f19e06aeb9b8cac1a

SHA256
eb88fd57edde82c5207709d68f461da708905b9882582ac2e4eb59ed533e26e4

SHA512
d8a76f919b40126a3b427a7b55ac0f31b4aba5a9aa266147ca74886f1c031cde9108038ccc276ac0b0ccd895b6d7d01675952403da405a7c07c7ab3acb28a2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DW9zn26.exe

Filesize
1.1MB

MD5
dd0e40a7eb15ae46166929ffbd23e141

SHA1
3cfe4d511ca42f7fb68e950446dc726ed1345b38

SHA256
9112ccaa55752a86f8cf32a19aee04ebe982d80d222750ab2c73d46a80282134

SHA512
e087fdbf92da03e9b83fb182e3d385bd128ecd4f63c5b4970f5e2ff790189bfcfd4d2d0f72da4228fb684e27a017fa0e534cc099516204452d64e235bad2d0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DW9zn26.exe

Filesize
1.1MB

MD5
dd0e40a7eb15ae46166929ffbd23e141

SHA1
3cfe4d511ca42f7fb68e950446dc726ed1345b38

SHA256
9112ccaa55752a86f8cf32a19aee04ebe982d80d222750ab2c73d46a80282134

SHA512
e087fdbf92da03e9b83fb182e3d385bd128ecd4f63c5b4970f5e2ff790189bfcfd4d2d0f72da4228fb684e27a017fa0e534cc099516204452d64e235bad2d0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Io6QT14.exe

Filesize
721KB

MD5
52a9a9edb6e12950c959e034ebc27a4d

SHA1
45f6496f70fa9beef7df90f26c3870126679f024

SHA256
6eb8b517204ed3b047d916cf67d67fc28e86ea2a9e099633601fdc6794ecd5bc

SHA512
b3a1d5fee0b782276bd06ea8bbcd342eabdd3efed4e3569b076e2f1eee0d2fc7a69c7c5bf7a10a78cad2e1d418fdd7b4a82e6d485fe4355b6520011d22c4df6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Io6QT14.exe

Filesize
721KB

MD5
52a9a9edb6e12950c959e034ebc27a4d

SHA1
45f6496f70fa9beef7df90f26c3870126679f024

SHA256
6eb8b517204ed3b047d916cf67d67fc28e86ea2a9e099633601fdc6794ecd5bc

SHA512
b3a1d5fee0b782276bd06ea8bbcd342eabdd3efed4e3569b076e2f1eee0d2fc7a69c7c5bf7a10a78cad2e1d418fdd7b4a82e6d485fe4355b6520011d22c4df6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\if7Ti73.exe

Filesize
354KB

MD5
8df48f8374298b151f76a82b2465bae2

SHA1
81ac0ce9d5d82563ff744b80e942a2d49c5ef1c5

SHA256
77c998e7e0be621fcfe6b720d20b79c196ab26b7fb0b7967d3dfb8c146f985eb

SHA512
00d54bd978135090b73fc0e01edaec4d39d3e9edd625129d7c71a39dea99f3482bfb1e05067f7e72eaab4c3a42f1ae579c1c1caad9156a735aa11159ce37e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\if7Ti73.exe

Filesize
354KB

MD5
8df48f8374298b151f76a82b2465bae2

SHA1
81ac0ce9d5d82563ff744b80e942a2d49c5ef1c5

SHA256
77c998e7e0be621fcfe6b720d20b79c196ab26b7fb0b7967d3dfb8c146f985eb

SHA512
00d54bd978135090b73fc0e01edaec4d39d3e9edd625129d7c71a39dea99f3482bfb1e05067f7e72eaab4c3a42f1ae579c1c1caad9156a735aa11159ce37e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mH99Gd2.exe

Filesize
265KB

MD5
15fe972bcfd9189d826083838645b850

SHA1
d2bf7fee68e358fa71b942b8ae92e483536abf86

SHA256
ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4

SHA512
30f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mH99Gd2.exe

Filesize
265KB

MD5
15fe972bcfd9189d826083838645b850

SHA1
d2bf7fee68e358fa71b942b8ae92e483536abf86

SHA256
ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4

SHA512
30f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe

Download Submit
C:\Users\Admin\AppData\Roaming\random_1697946699.txt

Filesize
78B

MD5
2d245696c73134b0a9a2ac296ea7c170

SHA1
f234419d7a09920a46ad291b98d7dca5a11f0da8

SHA256
ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930

SHA512
af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79

Download Submit