81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525

Analysis

max time kernel
117s
max time network
125s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
04-11-2023 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525.exe
Size

1.6MB
MD5

de5e46e382460c7540cdb18872cb1719
SHA1

40c75f4ee504032dbc194f53f7dfa5bd47ed2a74
SHA256

81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525
SHA512

404e78efcd908bc867bd484de7aa671512b8dda48168e3d05f49c65f9b3b556ecb49a5ebef9d565876f3f40e753969e78dc03645a380af3772a223cef9f58fc0
SSDEEP

49152:YXojygJAx7wbQNySgMzrxPjyBdXSPcJT:DkySgM/8/XBJT

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 6 IoCs

pid	Process
3084	dm2Wy46.exe
2464	hF7RH66.exe
4952	gB2jh88.exe
4924	tr4Tx21.exe
4920	Bp4bP67.exe
2916	1vi75WQ2.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gB2jh88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	tr4Tx21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Bp4bP67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dm2Wy46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hF7RH66.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2580	2916	1vi75WQ2.exe	77

Program crash 1 IoCs

pid	pid_target	Process	procid_target
512	2916	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	AppLaunch.exe
2580	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3084	4372	81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525.exe	70
PID 4372 wrote to memory of 3084	4372	81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525.exe	70
PID 4372 wrote to memory of 3084	4372	81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525.exe	70
PID 3084 wrote to memory of 2464	3084	dm2Wy46.exe	71
PID 3084 wrote to memory of 2464	3084	dm2Wy46.exe	71
PID 3084 wrote to memory of 2464	3084	dm2Wy46.exe	71
PID 2464 wrote to memory of 4952	2464	hF7RH66.exe	72
PID 2464 wrote to memory of 4952	2464	hF7RH66.exe	72
PID 2464 wrote to memory of 4952	2464	hF7RH66.exe	72
PID 4952 wrote to memory of 4924	4952	gB2jh88.exe	73
PID 4952 wrote to memory of 4924	4952	gB2jh88.exe	73
PID 4952 wrote to memory of 4924	4952	gB2jh88.exe	73
PID 4924 wrote to memory of 4920	4924	tr4Tx21.exe	74
PID 4924 wrote to memory of 4920	4924	tr4Tx21.exe	74
PID 4924 wrote to memory of 4920	4924	tr4Tx21.exe	74
PID 4920 wrote to memory of 2916	4920	Bp4bP67.exe	75
PID 4920 wrote to memory of 2916	4920	Bp4bP67.exe	75
PID 4920 wrote to memory of 2916	4920	Bp4bP67.exe	75
PID 2916 wrote to memory of 2580	2916	1vi75WQ2.exe	77
PID 2916 wrote to memory of 2580	2916	1vi75WQ2.exe	77
PID 2916 wrote to memory of 2580	2916	1vi75WQ2.exe	77
PID 2916 wrote to memory of 2580	2916	1vi75WQ2.exe	77
PID 2916 wrote to memory of 2580	2916	1vi75WQ2.exe	77
PID 2916 wrote to memory of 2580	2916	1vi75WQ2.exe	77
PID 2916 wrote to memory of 2580	2916	1vi75WQ2.exe	77
PID 2916 wrote to memory of 2580	2916	1vi75WQ2.exe	77

C:\Users\Admin\AppData\Local\Temp\81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525.exe
"C:\Users\Admin\AppData\Local\Temp\81978f818cf6d7fc9e9e3c377cf8a6758646ad1899449af4a56c9d74c4249525.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dm2Wy46.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dm2Wy46.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hF7RH66.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hF7RH66.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB2jh88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB2jh88.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tr4Tx21.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tr4Tx21.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bp4bP67.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bp4bP67.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1vi75WQ2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1vi75WQ2.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 624
        8⤵
        Program crash
        
        PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dm2Wy46.exe

Filesize
1.5MB

MD5
4d999ca28a3df62b29ab5d3d45700421

SHA1
6b680300979b5405dbcad73e8addf5c053400ca6

SHA256
9f760715c75756b0787a41958ec6484a9bd80bee0c552b9c26c9b86b2cbbb62a

SHA512
339f157b0c0617e36be114293dbaf61025c2ea322334a4bfc13ec258ddd4eaf8eaef2ce72deafb7251d86d19a56fe08bb800018b9f06720a34680b9f23e5f774

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dm2Wy46.exe

Filesize
1.5MB

MD5
4d999ca28a3df62b29ab5d3d45700421

SHA1
6b680300979b5405dbcad73e8addf5c053400ca6

SHA256
9f760715c75756b0787a41958ec6484a9bd80bee0c552b9c26c9b86b2cbbb62a

SHA512
339f157b0c0617e36be114293dbaf61025c2ea322334a4bfc13ec258ddd4eaf8eaef2ce72deafb7251d86d19a56fe08bb800018b9f06720a34680b9f23e5f774

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hF7RH66.exe

Filesize
1.3MB

MD5
41c6e23e7420d8a6d045688025a23213

SHA1
892bdea23f1381dd7056fa27ccf4c669a42209b3

SHA256
2545918f019f3f222365b399e3d7f7ca986eba098c759849ef916d8bb47c812a

SHA512
c1a0a66bd315c65ec0f71873765c05b0d8b0792a4dbaad58b72d870f27198a1f8c2b2e55efebb74f2f4866c2be64e2389de22844392347ba681b50ec044dcf4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hF7RH66.exe

Filesize
1.3MB

MD5
41c6e23e7420d8a6d045688025a23213

SHA1
892bdea23f1381dd7056fa27ccf4c669a42209b3

SHA256
2545918f019f3f222365b399e3d7f7ca986eba098c759849ef916d8bb47c812a

SHA512
c1a0a66bd315c65ec0f71873765c05b0d8b0792a4dbaad58b72d870f27198a1f8c2b2e55efebb74f2f4866c2be64e2389de22844392347ba681b50ec044dcf4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB2jh88.exe

Filesize
1.1MB

MD5
34ace10c96441c6116dd6fb304bc11bb

SHA1
97adf21453c688d4b81a91d8b0100fa5ce3fa2f9

SHA256
3abb94b25c30302b3c6ea9f37ad761fe26d0eddf7d843bb8483b1e6db9d62740

SHA512
0949903d1c5284021366da4b0202862788569ed71cadae44f8599dcdd17582cc82799cd2dd9725fc9891c69f8623930028398cacc9c6216c3cee4527fe62d9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB2jh88.exe

Filesize
1.1MB

MD5
34ace10c96441c6116dd6fb304bc11bb

SHA1
97adf21453c688d4b81a91d8b0100fa5ce3fa2f9

SHA256
3abb94b25c30302b3c6ea9f37ad761fe26d0eddf7d843bb8483b1e6db9d62740

SHA512
0949903d1c5284021366da4b0202862788569ed71cadae44f8599dcdd17582cc82799cd2dd9725fc9891c69f8623930028398cacc9c6216c3cee4527fe62d9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tr4Tx21.exe

Filesize
702KB

MD5
89a60a8fd729c1effa4921a2a23898e9

SHA1
29d099e55b2cd02dcb6d85ce40fc202d10209656

SHA256
3edff4635c7311fad4b6925fdaa559a489a7a89906b491753b70d0ceb1ae24a6

SHA512
ff431374a1350a623fa191150e573fd27d47c1f48b3d7ff83c0817d4323f5722ad868dcd4980840016861900d27d8799a1cfab210954f0b744a2c16448e1d96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tr4Tx21.exe

Filesize
702KB

MD5
89a60a8fd729c1effa4921a2a23898e9

SHA1
29d099e55b2cd02dcb6d85ce40fc202d10209656

SHA256
3edff4635c7311fad4b6925fdaa559a489a7a89906b491753b70d0ceb1ae24a6

SHA512
ff431374a1350a623fa191150e573fd27d47c1f48b3d7ff83c0817d4323f5722ad868dcd4980840016861900d27d8799a1cfab210954f0b744a2c16448e1d96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bp4bP67.exe

Filesize
578KB

MD5
4647f829bfbb2293a097a658aa13b56d

SHA1
722ccc59627079371b22a40a60608f175ba2b205

SHA256
59b4c2aa52fc3264477d265bac08a37b77c7b419b2d658a25b32c93eea7537c0

SHA512
54a8e89bb4505728e56c6a00d30c19782a96ddad6f0e3d00f59936d72df85a2b77f607089f828f441a0948fc11f5ea5bec2b61c936fc134431f175f88c9fb5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Bp4bP67.exe

Filesize
578KB

MD5
4647f829bfbb2293a097a658aa13b56d

SHA1
722ccc59627079371b22a40a60608f175ba2b205

SHA256
59b4c2aa52fc3264477d265bac08a37b77c7b419b2d658a25b32c93eea7537c0

SHA512
54a8e89bb4505728e56c6a00d30c19782a96ddad6f0e3d00f59936d72df85a2b77f607089f828f441a0948fc11f5ea5bec2b61c936fc134431f175f88c9fb5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1vi75WQ2.exe

Filesize
1.4MB

MD5
1656d9b62fc8b7d5c950b2c016cf938f

SHA1
882473cc6b32c99f4d0a35c2fbe53d45f779ef29

SHA256
3d96d9cae995f3d88d3f1d5718997d84c4ec2b6a1ba2b8b75370965b03f3f486

SHA512
75b0a2c4b6b543ce31695e8cc94ec77152d7ba93c1462292f20d49396406ca68c58cc5f7aa78d49f51fa72e8a3b5079dcf514697bd5bd902685311ebb0c5c341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1vi75WQ2.exe

Filesize
1.4MB

MD5
1656d9b62fc8b7d5c950b2c016cf938f

SHA1
882473cc6b32c99f4d0a35c2fbe53d45f779ef29

SHA256
3d96d9cae995f3d88d3f1d5718997d84c4ec2b6a1ba2b8b75370965b03f3f486

SHA512
75b0a2c4b6b543ce31695e8cc94ec77152d7ba93c1462292f20d49396406ca68c58cc5f7aa78d49f51fa72e8a3b5079dcf514697bd5bd902685311ebb0c5c341

Download Submit
memory/2580-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2580-45-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-54-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-69-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download