f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428

Analysis

max time kernel
81s
max time network
186s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
29-10-2023 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428.exe
Size

1.5MB
MD5

553bed1fdea47bf7c8e05f6d4328a026
SHA1

4d78a95b2a6df60127dafa0f01f2d534987b6a60
SHA256

f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428
SHA512

664883ce32d246184fc770036116896e427190db7bfa13dc9e1c50edd499f5a6d0efced815d122b3c2d807150165dcac0eb5f9d1c3d25d68dfd4c95994bce881
SSDEEP

24576:syEBHW07cIbgiXUCdfopC4slVl3LeFW9v443UAbfhnZT6VvRCMJrms37VRpT0xvW:bEBHWgJhfYs9MiZnZT6ZR1JrbjT0x

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Executes dropped EXE 6 IoCs

pid	Process
4944	Xe0cw28.exe
360	xH7vS27.exe
2112	Hb5zx68.exe
2912	IN6ln26.exe
2936	Ql4Tm89.exe
1684	1gu07ix0.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xe0cw28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xH7vS27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Hb5zx68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	IN6ln26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Ql4Tm89.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 3076	1684	1gu07ix0.exe	77

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	1684	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3076	AppLaunch.exe
3076	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 4944	1240	f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428.exe	71
PID 1240 wrote to memory of 4944	1240	f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428.exe	71
PID 1240 wrote to memory of 4944	1240	f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428.exe	71
PID 4944 wrote to memory of 360	4944	Xe0cw28.exe	72
PID 4944 wrote to memory of 360	4944	Xe0cw28.exe	72
PID 4944 wrote to memory of 360	4944	Xe0cw28.exe	72
PID 360 wrote to memory of 2112	360	xH7vS27.exe	73
PID 360 wrote to memory of 2112	360	xH7vS27.exe	73
PID 360 wrote to memory of 2112	360	xH7vS27.exe	73
PID 2112 wrote to memory of 2912	2112	Hb5zx68.exe	74
PID 2112 wrote to memory of 2912	2112	Hb5zx68.exe	74
PID 2112 wrote to memory of 2912	2112	Hb5zx68.exe	74
PID 2912 wrote to memory of 2936	2912	IN6ln26.exe	75
PID 2912 wrote to memory of 2936	2912	IN6ln26.exe	75
PID 2912 wrote to memory of 2936	2912	IN6ln26.exe	75
PID 2936 wrote to memory of 1684	2936	Ql4Tm89.exe	76
PID 2936 wrote to memory of 1684	2936	Ql4Tm89.exe	76
PID 2936 wrote to memory of 1684	2936	Ql4Tm89.exe	76
PID 1684 wrote to memory of 3076	1684	1gu07ix0.exe	77
PID 1684 wrote to memory of 3076	1684	1gu07ix0.exe	77
PID 1684 wrote to memory of 3076	1684	1gu07ix0.exe	77
PID 1684 wrote to memory of 3076	1684	1gu07ix0.exe	77
PID 1684 wrote to memory of 3076	1684	1gu07ix0.exe	77
PID 1684 wrote to memory of 3076	1684	1gu07ix0.exe	77
PID 1684 wrote to memory of 3076	1684	1gu07ix0.exe	77
PID 1684 wrote to memory of 3076	1684	1gu07ix0.exe	77

C:\Users\Admin\AppData\Local\Temp\f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428.exe
"C:\Users\Admin\AppData\Local\Temp\f0c07ad9dca99dc443ba31536ef7c374a75f072eb859be7284241fe976bc8428.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xe0cw28.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xe0cw28.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xH7vS27.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xH7vS27.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hb5zx68.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hb5zx68.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IN6ln26.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IN6ln26.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ql4Tm89.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ql4Tm89.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gu07ix0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gu07ix0.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 572
        8⤵
        Program crash
        
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xe0cw28.exe

Filesize
1.4MB

MD5
488aec9e69e060545768961b3e505616

SHA1
38d8fd35e56b2459e246c44aac9ab9b23142e0d0

SHA256
7d1eceab87efe1f9bdb4a96643fc2f5a88d6cd29fe9be69ed6884dc4b3a219a5

SHA512
2968eaa8fc610a905d6fb3d619d1f5d933018bad07b3634a2113fed01797c08583f63a55a8450fdc0e857ae4f49f4081d6a3ff4977140bcdc0c9ef74352a68e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xe0cw28.exe

Filesize
1.4MB

MD5
488aec9e69e060545768961b3e505616

SHA1
38d8fd35e56b2459e246c44aac9ab9b23142e0d0

SHA256
7d1eceab87efe1f9bdb4a96643fc2f5a88d6cd29fe9be69ed6884dc4b3a219a5

SHA512
2968eaa8fc610a905d6fb3d619d1f5d933018bad07b3634a2113fed01797c08583f63a55a8450fdc0e857ae4f49f4081d6a3ff4977140bcdc0c9ef74352a68e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xH7vS27.exe

Filesize
1.2MB

MD5
e592cb069a618092fcf19202a97d8a5c

SHA1
7fb2f83a915fbc6e7b37aa5131818c8b02af9078

SHA256
a476c8a2a31ed0e61a276e05cfc36aeeaeddc519c825625c34278717cf3eaebd

SHA512
ceb747d95454de561d1206f9af9f51e81e9bace6e8ab54d26212e7b3a1c412227f15124aea369071b224e1736457989ecbc140f2de79b414e582bd4df9ddf4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xH7vS27.exe

Filesize
1.2MB

MD5
e592cb069a618092fcf19202a97d8a5c

SHA1
7fb2f83a915fbc6e7b37aa5131818c8b02af9078

SHA256
a476c8a2a31ed0e61a276e05cfc36aeeaeddc519c825625c34278717cf3eaebd

SHA512
ceb747d95454de561d1206f9af9f51e81e9bace6e8ab54d26212e7b3a1c412227f15124aea369071b224e1736457989ecbc140f2de79b414e582bd4df9ddf4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hb5zx68.exe

Filesize
1.0MB

MD5
d7848bbee82b3064d40c0d19264af0e1

SHA1
87e72e1013fd39907e4478ceb8a25891e8690de5

SHA256
aec9d039204e6535d66362e2f36296878b169096642a029ebfccf67b8bf86dd7

SHA512
495ff3e96f1ba1fc29d69ac8b0021e97b613a490e19c174edd6a3250f0a583bd07e43af769118391c4593b1ad872eb1f2f8b528d8191ebc1e94a0f3c3d681f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hb5zx68.exe

Filesize
1.0MB

MD5
d7848bbee82b3064d40c0d19264af0e1

SHA1
87e72e1013fd39907e4478ceb8a25891e8690de5

SHA256
aec9d039204e6535d66362e2f36296878b169096642a029ebfccf67b8bf86dd7

SHA512
495ff3e96f1ba1fc29d69ac8b0021e97b613a490e19c174edd6a3250f0a583bd07e43af769118391c4593b1ad872eb1f2f8b528d8191ebc1e94a0f3c3d681f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IN6ln26.exe

Filesize
650KB

MD5
99d1421fcaf5337d53863ddaab35831b

SHA1
346ef8192e0ed5125671aa5dee9f15b8ea612066

SHA256
f29e15f2895caf3cebbf50242263774135fe0e2a4abfd25e56c880e152e58821

SHA512
cc59564dda6253677eb09cd9b7e6c0163ae325e67da4df247731a5014e828849fceabbf1215b3d28b7648ae0fa4639ee3f9f58159cf2ab6f37f68439a955339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IN6ln26.exe

Filesize
650KB

MD5
99d1421fcaf5337d53863ddaab35831b

SHA1
346ef8192e0ed5125671aa5dee9f15b8ea612066

SHA256
f29e15f2895caf3cebbf50242263774135fe0e2a4abfd25e56c880e152e58821

SHA512
cc59564dda6253677eb09cd9b7e6c0163ae325e67da4df247731a5014e828849fceabbf1215b3d28b7648ae0fa4639ee3f9f58159cf2ab6f37f68439a955339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ql4Tm89.exe

Filesize
525KB

MD5
a7aa2a123ba1da99005727e64825ae83

SHA1
ed00120809f7f8409b41076b11a996e4f7359355

SHA256
c7521925c8e9143932e7bda1d7ab50dfd3f89464554bbccb87c1417599d76ecb

SHA512
5aede6655964fa58189e490542ead269aa0a64452c52fd1578c2df37098a19e88389a74101430d3a1a8fbe1789d16ccc70a795eadabdd0f68544cf47e0f034a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ql4Tm89.exe

Filesize
525KB

MD5
a7aa2a123ba1da99005727e64825ae83

SHA1
ed00120809f7f8409b41076b11a996e4f7359355

SHA256
c7521925c8e9143932e7bda1d7ab50dfd3f89464554bbccb87c1417599d76ecb

SHA512
5aede6655964fa58189e490542ead269aa0a64452c52fd1578c2df37098a19e88389a74101430d3a1a8fbe1789d16ccc70a795eadabdd0f68544cf47e0f034a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gu07ix0.exe

Filesize
890KB

MD5
e978c7e1a5be84e958419fdcecd0e1f0

SHA1
16990d1c40986a496472fe3221d9ceb981e25f4a

SHA256
e72e37b2e1966aa59d99102486d99e0cded9faded978cdb8e7b1e59e49c4cb14

SHA512
9fb36bc7791fa24cd8e87ab2fbe02079361f299a84866882b945fab775e44408d112543aced0735cb4aa6267fe8c325925a20ca643cd47b2bb3e07a2ba49484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gu07ix0.exe

Filesize
890KB

MD5
e978c7e1a5be84e958419fdcecd0e1f0

SHA1
16990d1c40986a496472fe3221d9ceb981e25f4a

SHA256
e72e37b2e1966aa59d99102486d99e0cded9faded978cdb8e7b1e59e49c4cb14

SHA512
9fb36bc7791fa24cd8e87ab2fbe02079361f299a84866882b945fab775e44408d112543aced0735cb4aa6267fe8c325925a20ca643cd47b2bb3e07a2ba49484a

Download Submit
memory/3076-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3076-45-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/3076-54-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/3076-69-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download