f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b

Analysis

max time kernel
127s
max time network
135s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2023, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b.exe
Size

1.4MB
MD5

208880d54eac8a653d4d775f4a83a6e1
SHA1

220615dc5c1f0056ac06f82982830ed6f7264a67
SHA256

f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b
SHA512

4d186316b6c466992240f927af4768e5a22b14ba1c32e76faa4ff8cad82bef9f22d29cd16e2bf9c18fdb3b01a3578203a5b12080061d64cf3c34342dcff49bb2
SSDEEP

24576:My2tEkFHpHg3Hg25yJjvnXun2GXiJUimwdCmSrl98ur/Ml9SD1O03AZyMLzT:72XjHGHg2Ux+2GcUJwCmUlqqO9cmP

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
4112	ob0Ol28.exe
2184	wD2gJ96.exe
3440	YJ0Gu05.exe
4496	kE3KX77.exe
4396	1et88YL5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wD2gJ96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	YJ0Gu05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kE3KX77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ob0Ol28.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4396 set thread context of 4308	4396	1et88YL5.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	4396	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4308	AppLaunch.exe
4308	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4112	2428	f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b.exe	70
PID 2428 wrote to memory of 4112	2428	f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b.exe	70
PID 2428 wrote to memory of 4112	2428	f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b.exe	70
PID 4112 wrote to memory of 2184	4112	ob0Ol28.exe	71
PID 4112 wrote to memory of 2184	4112	ob0Ol28.exe	71
PID 4112 wrote to memory of 2184	4112	ob0Ol28.exe	71
PID 2184 wrote to memory of 3440	2184	wD2gJ96.exe	72
PID 2184 wrote to memory of 3440	2184	wD2gJ96.exe	72
PID 2184 wrote to memory of 3440	2184	wD2gJ96.exe	72
PID 3440 wrote to memory of 4496	3440	YJ0Gu05.exe	73
PID 3440 wrote to memory of 4496	3440	YJ0Gu05.exe	73
PID 3440 wrote to memory of 4496	3440	YJ0Gu05.exe	73
PID 4496 wrote to memory of 4396	4496	kE3KX77.exe	74
PID 4496 wrote to memory of 4396	4496	kE3KX77.exe	74
PID 4496 wrote to memory of 4396	4496	kE3KX77.exe	74
PID 4396 wrote to memory of 4308	4396	1et88YL5.exe	75
PID 4396 wrote to memory of 4308	4396	1et88YL5.exe	75
PID 4396 wrote to memory of 4308	4396	1et88YL5.exe	75
PID 4396 wrote to memory of 4308	4396	1et88YL5.exe	75
PID 4396 wrote to memory of 4308	4396	1et88YL5.exe	75
PID 4396 wrote to memory of 4308	4396	1et88YL5.exe	75
PID 4396 wrote to memory of 4308	4396	1et88YL5.exe	75
PID 4396 wrote to memory of 4308	4396	1et88YL5.exe	75

C:\Users\Admin\AppData\Local\Temp\f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b.exe
"C:\Users\Admin\AppData\Local\Temp\f6d704409dab8eefcb3e767bd430a0f21f449772d263516282e3e8d5c2de324b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ob0Ol28.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ob0Ol28.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wD2gJ96.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wD2gJ96.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YJ0Gu05.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YJ0Gu05.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kE3KX77.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kE3KX77.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1et88YL5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1et88YL5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 592
        7⤵
        Program crash
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ob0Ol28.exe

Filesize
1.3MB

MD5
80441f7da6b44370764661c9eb1a0491

SHA1
5b1a4003f58745b6e28b09abb9a048aeb142563b

SHA256
2666ea45faf5dabdae4653636d92047dc006a351acf6de5d089ca2f532d726f1

SHA512
0bc39ce256e5e206776e19521ac4719800c37af03e0f7ae8216dcc52c740c17ad17b984d14b86acd658e885d0feaed126962862207d01b7dac8c262a47c8c4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ob0Ol28.exe

Filesize
1.3MB

MD5
80441f7da6b44370764661c9eb1a0491

SHA1
5b1a4003f58745b6e28b09abb9a048aeb142563b

SHA256
2666ea45faf5dabdae4653636d92047dc006a351acf6de5d089ca2f532d726f1

SHA512
0bc39ce256e5e206776e19521ac4719800c37af03e0f7ae8216dcc52c740c17ad17b984d14b86acd658e885d0feaed126962862207d01b7dac8c262a47c8c4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wD2gJ96.exe

Filesize
1.1MB

MD5
13923efbc13043eec140a7c806517695

SHA1
04a9ffc2a8774946688d4b6855e3168b720b45c5

SHA256
1ce34e5ed8ae8362095ae0d70aaed5c083d4bbffd721fa0b90a16fbef0c47c6e

SHA512
651a1b36b35517ca2341498479391ee8b49ab762632723a59a9184551be65de8c0c1401ba7ef75910195b92ba723696ecae0d42ec17382b3f95ca064ef4cf5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wD2gJ96.exe

Filesize
1.1MB

MD5
13923efbc13043eec140a7c806517695

SHA1
04a9ffc2a8774946688d4b6855e3168b720b45c5

SHA256
1ce34e5ed8ae8362095ae0d70aaed5c083d4bbffd721fa0b90a16fbef0c47c6e

SHA512
651a1b36b35517ca2341498479391ee8b49ab762632723a59a9184551be65de8c0c1401ba7ef75910195b92ba723696ecae0d42ec17382b3f95ca064ef4cf5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YJ0Gu05.exe

Filesize
683KB

MD5
a4905ab41835caab0c2521245821760d

SHA1
27a0126a0a13459d5d52a33fb22ee418159ca059

SHA256
d25ad5143999baa1d9383bf0aec200fbfbef4c239e6c5792f6dbdc18a32c9f68

SHA512
58eacd2b098bf86cbf5ee58bf3ddf38fa2a8c7182fe316b2da1e92674d6da5aa5ce716bb1be046040093c37006782090f4452260f6ae158f05d3287cffb56884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YJ0Gu05.exe

Filesize
683KB

MD5
a4905ab41835caab0c2521245821760d

SHA1
27a0126a0a13459d5d52a33fb22ee418159ca059

SHA256
d25ad5143999baa1d9383bf0aec200fbfbef4c239e6c5792f6dbdc18a32c9f68

SHA512
58eacd2b098bf86cbf5ee58bf3ddf38fa2a8c7182fe316b2da1e92674d6da5aa5ce716bb1be046040093c37006782090f4452260f6ae158f05d3287cffb56884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kE3KX77.exe

Filesize
559KB

MD5
f6784b5139fa1666b0e43de37128b997

SHA1
c08adfb7c015e24f17109f1179f88337077c58b0

SHA256
e6a48969492c4473b4575de3547202103d39f82abf7d695b6bd6ce1a2fead08d

SHA512
6a8d8ac4c907fc6d6c579bbe642ea16d8814a0b7e46ab885c9be2aa9bb2ede734b56d687aa3a65d4d0a6d45389e6158d27bee7dab34b0fe227a5a0e50e609796

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kE3KX77.exe

Filesize
559KB

MD5
f6784b5139fa1666b0e43de37128b997

SHA1
c08adfb7c015e24f17109f1179f88337077c58b0

SHA256
e6a48969492c4473b4575de3547202103d39f82abf7d695b6bd6ce1a2fead08d

SHA512
6a8d8ac4c907fc6d6c579bbe642ea16d8814a0b7e46ab885c9be2aa9bb2ede734b56d687aa3a65d4d0a6d45389e6158d27bee7dab34b0fe227a5a0e50e609796

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1et88YL5.exe

Filesize
935KB

MD5
676bfeec22ea140cde7b7e48786d3584

SHA1
8b9db5ef0f2b56cf2d674f6c80c99ed5ae842168

SHA256
20056cb15e7fac62736769f5d7e5ab8a4c8a77e7cce112b0a619643c0d955fa4

SHA512
0cb5717f8090d7386947c2d0d7ba8a84c57af33ea4faaedd1c81e9d9dfdb509cb99798f5dfeffbd688541922c97e90191dd9b0f7fcc60dfd5b4319852d25286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1et88YL5.exe

Filesize
935KB

MD5
676bfeec22ea140cde7b7e48786d3584

SHA1
8b9db5ef0f2b56cf2d674f6c80c99ed5ae842168

SHA256
20056cb15e7fac62736769f5d7e5ab8a4c8a77e7cce112b0a619643c0d955fa4

SHA512
0cb5717f8090d7386947c2d0d7ba8a84c57af33ea4faaedd1c81e9d9dfdb509cb99798f5dfeffbd688541922c97e90191dd9b0f7fcc60dfd5b4319852d25286d

Download Submit
memory/4308-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4308-38-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4308-47-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/4308-62-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download