5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8

Analysis

max time kernel
128s
max time network
136s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
04/11/2023, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8.exe
Size

1.4MB
MD5

e7c1268e01646320fa320d940102c8d2
SHA1

1a24304b042143c27f0f63d66b7437e97a90f896
SHA256

5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8
SHA512

58820bd0d78e885c620364f72cec9be3e03289d9e54e9f59e196ee9aaa97774575a3da16ecee570ebfc7da4797606dd819a386a43bae3cfb19eb9ed949c75a29
SSDEEP

24576:8yaKjpi1w7WtFJL68e/wK0KIt7oXi5qFRlpsRzNcAR/hAibUSIu7EClzQ81yRMZW:rhjM1xdL6BYhvoXi5qxpsrc22mUpu71E

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1kY64QW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1kY64QW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1kY64QW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1kY64QW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1kY64QW9.exe

Executes dropped EXE 6 IoCs

pid	Process
756	fc4pX29.exe
5020	xj3DT70.exe
3472	aS5Bg40.exe
3632	Nw6EZ47.exe
5036	1kY64QW9.exe
4312	2UW4736.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1kY64QW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1kY64QW9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fc4pX29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xj3DT70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	aS5Bg40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Nw6EZ47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4312 set thread context of 1592	4312	2UW4736.exe	78

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4512	1592	WerFault.exe	78
2880	4312	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	1kY64QW9.exe
5036	1kY64QW9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	1kY64QW9.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 756	556	5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8.exe	71
PID 556 wrote to memory of 756	556	5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8.exe	71
PID 556 wrote to memory of 756	556	5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8.exe	71
PID 756 wrote to memory of 5020	756	fc4pX29.exe	72
PID 756 wrote to memory of 5020	756	fc4pX29.exe	72
PID 756 wrote to memory of 5020	756	fc4pX29.exe	72
PID 5020 wrote to memory of 3472	5020	xj3DT70.exe	73
PID 5020 wrote to memory of 3472	5020	xj3DT70.exe	73
PID 5020 wrote to memory of 3472	5020	xj3DT70.exe	73
PID 3472 wrote to memory of 3632	3472	aS5Bg40.exe	74
PID 3472 wrote to memory of 3632	3472	aS5Bg40.exe	74
PID 3472 wrote to memory of 3632	3472	aS5Bg40.exe	74
PID 3632 wrote to memory of 5036	3632	Nw6EZ47.exe	75
PID 3632 wrote to memory of 5036	3632	Nw6EZ47.exe	75
PID 3632 wrote to memory of 5036	3632	Nw6EZ47.exe	75
PID 3632 wrote to memory of 4312	3632	Nw6EZ47.exe	76
PID 3632 wrote to memory of 4312	3632	Nw6EZ47.exe	76
PID 3632 wrote to memory of 4312	3632	Nw6EZ47.exe	76
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78
PID 4312 wrote to memory of 1592	4312	2UW4736.exe	78

C:\Users\Admin\AppData\Local\Temp\5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8.exe
"C:\Users\Admin\AppData\Local\Temp\5c45bf98ea616600a254e78d95d5b5e5322228e26efa4c649044027f249988c8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fc4pX29.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fc4pX29.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xj3DT70.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xj3DT70.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS5Bg40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS5Bg40.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Nw6EZ47.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Nw6EZ47.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3632
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kY64QW9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kY64QW9.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UW4736.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UW4736.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 568
        8⤵
        Program crash
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 620
        7⤵
        Program crash
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fc4pX29.exe

Filesize
1.3MB

MD5
731f28af2fcb9edd156b64ed99b79a20

SHA1
04b9f6804c93336ec9b7f0b03e0e23f58c9bad6d

SHA256
23dfb61bf17be0ce989b22105c5394e684f6f684ea8bdd2fbc71bd83cabfce03

SHA512
eaf0f1aec61cb023ebdd05ea67882844377ebe51c8a2d64619c21d8744ca70617f0f5ab43f08903d07ae4e552808adc951f472a22be380d9076ea8af59cc9b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fc4pX29.exe

Filesize
1.3MB

MD5
731f28af2fcb9edd156b64ed99b79a20

SHA1
04b9f6804c93336ec9b7f0b03e0e23f58c9bad6d

SHA256
23dfb61bf17be0ce989b22105c5394e684f6f684ea8bdd2fbc71bd83cabfce03

SHA512
eaf0f1aec61cb023ebdd05ea67882844377ebe51c8a2d64619c21d8744ca70617f0f5ab43f08903d07ae4e552808adc951f472a22be380d9076ea8af59cc9b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xj3DT70.exe

Filesize
1.1MB

MD5
bdf5732c8aa4dc359066ba55231ad200

SHA1
a8cfcff81027dac631aa08b38bc72ca85b91d275

SHA256
2232cbccc3dd0dc84cca6e13d2c1f6f058cccc000cfa050b0399e561eaac5c38

SHA512
06d153fa43658f766a01217d714b425035e9f3f8edd158e75d6339c5c2802ecb289c82b01ff648f5da95396908e1dacd808ce4c591a10b5fc0f2e6ca9e46bd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xj3DT70.exe

Filesize
1.1MB

MD5
bdf5732c8aa4dc359066ba55231ad200

SHA1
a8cfcff81027dac631aa08b38bc72ca85b91d275

SHA256
2232cbccc3dd0dc84cca6e13d2c1f6f058cccc000cfa050b0399e561eaac5c38

SHA512
06d153fa43658f766a01217d714b425035e9f3f8edd158e75d6339c5c2802ecb289c82b01ff648f5da95396908e1dacd808ce4c591a10b5fc0f2e6ca9e46bd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS5Bg40.exe

Filesize
664KB

MD5
a8b315b9abc05e325edbe765bcfc515e

SHA1
61edd59a5e285299100677cfb07744d9f9b091f5

SHA256
bdfb461b49948f11ba93d05d8450f2540e1d96e4e790a2f9611a3334da5d593e

SHA512
6edcd6c0ff90d29f1ceb163c9d435a1a3ed51f529241aba6e05dec3e71778733287b18aa1bb50a8d9303a0d0dcc6d34dfd0cb80b4c2553ac1078f2f9533b761d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS5Bg40.exe

Filesize
664KB

MD5
a8b315b9abc05e325edbe765bcfc515e

SHA1
61edd59a5e285299100677cfb07744d9f9b091f5

SHA256
bdfb461b49948f11ba93d05d8450f2540e1d96e4e790a2f9611a3334da5d593e

SHA512
6edcd6c0ff90d29f1ceb163c9d435a1a3ed51f529241aba6e05dec3e71778733287b18aa1bb50a8d9303a0d0dcc6d34dfd0cb80b4c2553ac1078f2f9533b761d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Nw6EZ47.exe

Filesize
539KB

MD5
d745891424b4e91a85f7846ed3af40e5

SHA1
2df1637f04a373200ebbaf2cd09bd47060a89400

SHA256
aeaefd72db72b6d1c76a3a7cf348c57cddac9cfd715ea44659d48454327dceb5

SHA512
f77d7f21666f7c5b378bc57ca798dca4d41a63ff75275ac7c865ea6d235c9073b1fc72e99db1ba18f927fccc9a4ec2c76211ac007f62cc364e0b80f2ddde76b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Nw6EZ47.exe

Filesize
539KB

MD5
d745891424b4e91a85f7846ed3af40e5

SHA1
2df1637f04a373200ebbaf2cd09bd47060a89400

SHA256
aeaefd72db72b6d1c76a3a7cf348c57cddac9cfd715ea44659d48454327dceb5

SHA512
f77d7f21666f7c5b378bc57ca798dca4d41a63ff75275ac7c865ea6d235c9073b1fc72e99db1ba18f927fccc9a4ec2c76211ac007f62cc364e0b80f2ddde76b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kY64QW9.exe

Filesize
11KB

MD5
22b50c95b39cbbdb00d5a4cd3d4886bd

SHA1
db8326c4fad0064ce3020226e8556e7cce8ce04e

SHA256
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1

SHA512
d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kY64QW9.exe

Filesize
11KB

MD5
22b50c95b39cbbdb00d5a4cd3d4886bd

SHA1
db8326c4fad0064ce3020226e8556e7cce8ce04e

SHA256
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1

SHA512
d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UW4736.exe

Filesize
1.6MB

MD5
10161398f2b53b380e3f1c5d48eda1e1

SHA1
f38655807daebff87a5ecac248464befdf0bde6a

SHA256
63329809cb62a3e94c285a46c90161ea1aa17c3909b97dd4c0251511d8254bab

SHA512
f8f4fa053c37a49d4b36b2c33c4df50891b13e440e92a42c0d3b5009090925b7e90a9e2c0459a8e089f97a46b6a28e395be38abbce38730853dfe05b22678dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UW4736.exe

Filesize
1.6MB

MD5
10161398f2b53b380e3f1c5d48eda1e1

SHA1
f38655807daebff87a5ecac248464befdf0bde6a

SHA256
63329809cb62a3e94c285a46c90161ea1aa17c3909b97dd4c0251511d8254bab

SHA512
f8f4fa053c37a49d4b36b2c33c4df50891b13e440e92a42c0d3b5009090925b7e90a9e2c0459a8e089f97a46b6a28e395be38abbce38730853dfe05b22678dc0

Download Submit
memory/1592-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-37-0x0000000073450000-0x0000000073B3E000-memory.dmp

Filesize
6.9MB

Download
memory/5036-39-0x0000000073450000-0x0000000073B3E000-memory.dmp

Filesize
6.9MB

Download
memory/5036-35-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/5036-36-0x0000000073450000-0x0000000073B3E000-memory.dmp

Filesize
6.9MB

Download