372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6

Analysis

max time kernel
123s
max time network
136s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
04-11-2023 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6.exe
Size

1.6MB
MD5

5db0f4b2b31d5bc7a7dd8d050f45a0ef
SHA1

351b4517a418b2ae72c69411e695d5016d282639
SHA256

372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6
SHA512

451b8589957ed06fdef1054d08274feb0734a23b90b35abdbb18939502005644d8de445cdac79deda054644c1eddaebeb480b7d346ddf757016ca3fb5d5892b6
SSDEEP

49152:dmwAdoo5CVM9yO8ZBySmVb53ELh7BfsDK:o9d++L8Z4B/3ELhZsDK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 6 IoCs

pid	Process
2856	kZ9tT14.exe
2100	CS5fO31.exe
372	Pg8DZ98.exe
4380	Ym0zb34.exe
348	kF9xj34.exe
4768	1Ha24Sj6.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CS5fO31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Pg8DZ98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ym0zb34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	kF9xj34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kZ9tT14.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 1744	4768	1Ha24Sj6.exe	78

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3252	4768	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1744	AppLaunch.exe
1744	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 2856	4156	372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6.exe	71
PID 4156 wrote to memory of 2856	4156	372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6.exe	71
PID 4156 wrote to memory of 2856	4156	372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6.exe	71
PID 2856 wrote to memory of 2100	2856	kZ9tT14.exe	72
PID 2856 wrote to memory of 2100	2856	kZ9tT14.exe	72
PID 2856 wrote to memory of 2100	2856	kZ9tT14.exe	72
PID 2100 wrote to memory of 372	2100	CS5fO31.exe	73
PID 2100 wrote to memory of 372	2100	CS5fO31.exe	73
PID 2100 wrote to memory of 372	2100	CS5fO31.exe	73
PID 372 wrote to memory of 4380	372	Pg8DZ98.exe	74
PID 372 wrote to memory of 4380	372	Pg8DZ98.exe	74
PID 372 wrote to memory of 4380	372	Pg8DZ98.exe	74
PID 4380 wrote to memory of 348	4380	Ym0zb34.exe	75
PID 4380 wrote to memory of 348	4380	Ym0zb34.exe	75
PID 4380 wrote to memory of 348	4380	Ym0zb34.exe	75
PID 348 wrote to memory of 4768	348	kF9xj34.exe	76
PID 348 wrote to memory of 4768	348	kF9xj34.exe	76
PID 348 wrote to memory of 4768	348	kF9xj34.exe	76
PID 4768 wrote to memory of 1744	4768	1Ha24Sj6.exe	78
PID 4768 wrote to memory of 1744	4768	1Ha24Sj6.exe	78
PID 4768 wrote to memory of 1744	4768	1Ha24Sj6.exe	78
PID 4768 wrote to memory of 1744	4768	1Ha24Sj6.exe	78
PID 4768 wrote to memory of 1744	4768	1Ha24Sj6.exe	78
PID 4768 wrote to memory of 1744	4768	1Ha24Sj6.exe	78
PID 4768 wrote to memory of 1744	4768	1Ha24Sj6.exe	78
PID 4768 wrote to memory of 1744	4768	1Ha24Sj6.exe	78

C:\Users\Admin\AppData\Local\Temp\372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6.exe
"C:\Users\Admin\AppData\Local\Temp\372048b1b438348ce8b990581b83bf775c4cea4f71d141b3441c50ea1eca14d6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kZ9tT14.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kZ9tT14.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CS5fO31.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CS5fO31.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pg8DZ98.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pg8DZ98.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ym0zb34.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ym0zb34.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kF9xj34.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kF9xj34.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ha24Sj6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ha24Sj6.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 612
        8⤵
        Program crash
        
        PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kZ9tT14.exe

Filesize
1.5MB

MD5
3f04ad8c3eb6d8913d5f2435d73108e6

SHA1
7eb375ffb05d1378e86a830793bda216cbdd13ac

SHA256
51041dd3328bb28df6d3d33bd87b99a10a29027c090f8adca6aa3ff48f7341c2

SHA512
d999a8645d5d8dd4a80566bc9d8019f58332e2d9e0200a1cfdd5a604b76ce54b96cd44c611bc39916981a08ac29cb995b0989f076bbd5cbe3e3aa5014fbdaa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kZ9tT14.exe

Filesize
1.5MB

MD5
3f04ad8c3eb6d8913d5f2435d73108e6

SHA1
7eb375ffb05d1378e86a830793bda216cbdd13ac

SHA256
51041dd3328bb28df6d3d33bd87b99a10a29027c090f8adca6aa3ff48f7341c2

SHA512
d999a8645d5d8dd4a80566bc9d8019f58332e2d9e0200a1cfdd5a604b76ce54b96cd44c611bc39916981a08ac29cb995b0989f076bbd5cbe3e3aa5014fbdaa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CS5fO31.exe

Filesize
1.3MB

MD5
7bf4d6b4bed2c414e91b2ad2f0dc9163

SHA1
55ef50909fedc1967f29d88ece542f2954910c61

SHA256
2e00fddb2b162d8497391100dc6f19c4d9b03f6fcd84db7311793fc2d71b3ae0

SHA512
d7fb57ec410156879b34882b63c786fcdea012cebfa81c02f90471a32d53f7193bc869a23647a33292dc89fcbe1a385096c16bfd046dfcd02e8707aa94c8a56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CS5fO31.exe

Filesize
1.3MB

MD5
7bf4d6b4bed2c414e91b2ad2f0dc9163

SHA1
55ef50909fedc1967f29d88ece542f2954910c61

SHA256
2e00fddb2b162d8497391100dc6f19c4d9b03f6fcd84db7311793fc2d71b3ae0

SHA512
d7fb57ec410156879b34882b63c786fcdea012cebfa81c02f90471a32d53f7193bc869a23647a33292dc89fcbe1a385096c16bfd046dfcd02e8707aa94c8a56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pg8DZ98.exe

Filesize
1.1MB

MD5
eae7faac0010da641bb02db59c802d21

SHA1
ec70cfc66c351155995699e84ffd9fa5f6c3bb79

SHA256
04a1b9fed521461cea0f38f9671702fde623fa4d971e4ba651c07ccd203f37be

SHA512
fa93b9bffb062420b3b12555109cf70b70ff8fe9029484903cbeb7a1d3e71bafa28d4167b390342927df9e38054423266a235c010dee4f3fb78af8c1a5d9eb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pg8DZ98.exe

Filesize
1.1MB

MD5
eae7faac0010da641bb02db59c802d21

SHA1
ec70cfc66c351155995699e84ffd9fa5f6c3bb79

SHA256
04a1b9fed521461cea0f38f9671702fde623fa4d971e4ba651c07ccd203f37be

SHA512
fa93b9bffb062420b3b12555109cf70b70ff8fe9029484903cbeb7a1d3e71bafa28d4167b390342927df9e38054423266a235c010dee4f3fb78af8c1a5d9eb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ym0zb34.exe

Filesize
699KB

MD5
039689ef12696a813b917a3154aa6713

SHA1
f8557b0d2ab784e80a486e37c5ee07d888fb3cec

SHA256
c9bdb35aea6f26ced051d16594561fd8651730910b3f80a03dda6f2f75913532

SHA512
dc0eba39b6503c8ef534bd386e5b9e9985b4b84447aa28795c935300567c815d034ebc21d1a7aff44f9752ea925867beaf447d539a738d9cd8755e365c7d79a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ym0zb34.exe

Filesize
699KB

MD5
039689ef12696a813b917a3154aa6713

SHA1
f8557b0d2ab784e80a486e37c5ee07d888fb3cec

SHA256
c9bdb35aea6f26ced051d16594561fd8651730910b3f80a03dda6f2f75913532

SHA512
dc0eba39b6503c8ef534bd386e5b9e9985b4b84447aa28795c935300567c815d034ebc21d1a7aff44f9752ea925867beaf447d539a738d9cd8755e365c7d79a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kF9xj34.exe

Filesize
575KB

MD5
77c0b9abd4f605c5107d297751d56e22

SHA1
1e343165afb9aa382c7df3a8e2458eeabb91193e

SHA256
6a8bdb0242952442bc8a9dbac922e250d207f397e0cc6bd1d7fcb12e0d802fe6

SHA512
16c95f0828f79b35a86218991fb2a4190f7cc73b53ed54cd80a5fe16fc21d22b53aec502fa058fedf1d938b348f17442f03950a0a2230823b357638b449ee33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kF9xj34.exe

Filesize
575KB

MD5
77c0b9abd4f605c5107d297751d56e22

SHA1
1e343165afb9aa382c7df3a8e2458eeabb91193e

SHA256
6a8bdb0242952442bc8a9dbac922e250d207f397e0cc6bd1d7fcb12e0d802fe6

SHA512
16c95f0828f79b35a86218991fb2a4190f7cc73b53ed54cd80a5fe16fc21d22b53aec502fa058fedf1d938b348f17442f03950a0a2230823b357638b449ee33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ha24Sj6.exe

Filesize
1.4MB

MD5
8137c75a96e6fea01be69bdab54b05f7

SHA1
dc3bbc19d493fd7c55c4d0792a8a4831145037fd

SHA256
ba49d0734961b3ee391dfe9cf845ee8747862ec1e9b56599c2c512a3c87e0942

SHA512
990ced5c90274d0c7245ca30e02f6368951f97f15bd121448b298d5cc9b76b2afc64f3f6cec8338106ddfac410a38768eb710ab81535a73fcaf8e10ee18a933d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ha24Sj6.exe

Filesize
1.4MB

MD5
8137c75a96e6fea01be69bdab54b05f7

SHA1
dc3bbc19d493fd7c55c4d0792a8a4831145037fd

SHA256
ba49d0734961b3ee391dfe9cf845ee8747862ec1e9b56599c2c512a3c87e0942

SHA512
990ced5c90274d0c7245ca30e02f6368951f97f15bd121448b298d5cc9b76b2afc64f3f6cec8338106ddfac410a38768eb710ab81535a73fcaf8e10ee18a933d

Download Submit
memory/1744-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1744-45-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/1744-50-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/1744-69-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download