a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4

Analysis

max time kernel
23s
max time network
26s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18/04/2023, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4.exe
Size

843KB
MD5

3b246add624f430ecb66e0d44c25b179
SHA1

53bb9370a265269343b822bb60453cab55d2f1a0
SHA256

a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4
SHA512

f8b37fdd2003fc84c786cae91657ed3a54aa12e9e342565896c1bfaf8c939178ba4be5bddc9c7daa312ba72f3fe69e85c5ef722d61abb289ab666c67322b623f
SSDEEP

24576:hy3lwKDjh7Hcue4rZ39bL36nRevVY/mYS:UCKD1y4939P6svOD

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it808358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it808358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it808358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it808358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it808358.exe

Executes dropped EXE 4 IoCs

pid	Process
2508	zigJ5807.exe
2552	ziDy8395.exe
2996	it808358.exe
3900	jr841237.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it808358.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziDy8395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziDy8395.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zigJ5807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zigJ5807.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2996	it808358.exe
2996	it808358.exe
3900	jr841237.exe
3900	jr841237.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	it808358.exe
Token: SeDebugPrivilege	3900	jr841237.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2508	2156	a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4.exe	66
PID 2156 wrote to memory of 2508	2156	a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4.exe	66
PID 2156 wrote to memory of 2508	2156	a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4.exe	66
PID 2508 wrote to memory of 2552	2508	zigJ5807.exe	67
PID 2508 wrote to memory of 2552	2508	zigJ5807.exe	67
PID 2508 wrote to memory of 2552	2508	zigJ5807.exe	67
PID 2552 wrote to memory of 2996	2552	ziDy8395.exe	68
PID 2552 wrote to memory of 2996	2552	ziDy8395.exe	68
PID 2552 wrote to memory of 3900	2552	ziDy8395.exe	69
PID 2552 wrote to memory of 3900	2552	ziDy8395.exe	69
PID 2552 wrote to memory of 3900	2552	ziDy8395.exe	69

C:\Users\Admin\AppData\Local\Temp\a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4.exe
"C:\Users\Admin\AppData\Local\Temp\a6ff42c1b0cacd1008382a5a62c52dbb065a7518e7aa5f63d3db0642b53d52b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigJ5807.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigJ5807.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDy8395.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDy8395.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it808358.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it808358.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr841237.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr841237.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigJ5807.exe

Filesize
569KB

MD5
588155679f7f77fa632c88204b962786

SHA1
27bec88c92bd69396c3bed0d6457b396c91dd7af

SHA256
ed3a205289adbad87f38b6d276a2eee6fb07f4af59b13a62cda488b728e6b01e

SHA512
35f37c7a11a39fc83a1645bc7893fb70c78af6a782fdc492e1ae15c17c267f35596c876f2aa121622292da383a9190a8ba5969ac16cad783a4e8ca6025d5be6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigJ5807.exe

Filesize
569KB

MD5
588155679f7f77fa632c88204b962786

SHA1
27bec88c92bd69396c3bed0d6457b396c91dd7af

SHA256
ed3a205289adbad87f38b6d276a2eee6fb07f4af59b13a62cda488b728e6b01e

SHA512
35f37c7a11a39fc83a1645bc7893fb70c78af6a782fdc492e1ae15c17c267f35596c876f2aa121622292da383a9190a8ba5969ac16cad783a4e8ca6025d5be6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDy8395.exe

Filesize
414KB

MD5
e088a2a31ea4c8536950d11e76522c7e

SHA1
3060bfae91a080bd7fd91ba04a40ad132cfc7031

SHA256
670be04d5d838c0c7bd7a7c3dda3178bb5a9da5f29285a95e72ae6c264563f94

SHA512
82fcd0ecc68d0cbb9184379990abb82f4150df089290691f76508823085cfe89fa5a49dac8db6575921bdb403981453b8e3d454323bed124e69bb5d8ba4bc32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDy8395.exe

Filesize
414KB

MD5
e088a2a31ea4c8536950d11e76522c7e

SHA1
3060bfae91a080bd7fd91ba04a40ad132cfc7031

SHA256
670be04d5d838c0c7bd7a7c3dda3178bb5a9da5f29285a95e72ae6c264563f94

SHA512
82fcd0ecc68d0cbb9184379990abb82f4150df089290691f76508823085cfe89fa5a49dac8db6575921bdb403981453b8e3d454323bed124e69bb5d8ba4bc32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it808358.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it808358.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr841237.exe

Filesize
360KB

MD5
8a9a1257ec9a9fa8affae9f83491fc09

SHA1
a9681bb711bd72d532de0aaf735c7e64c96869d5

SHA256
4ad6ff00d049544b8f52ac892a5c14013d6539a0942393f1d5fd144d6f568cac

SHA512
a3267b708f354f6586cd5a9e2cc599492644213eea4cbd7fce5e67660bb2f083d0b6f9045a9077ffb3b8ab55866400de2316297d590a8b959ac2c0e275fb4b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr841237.exe

Filesize
360KB

MD5
8a9a1257ec9a9fa8affae9f83491fc09

SHA1
a9681bb711bd72d532de0aaf735c7e64c96869d5

SHA256
4ad6ff00d049544b8f52ac892a5c14013d6539a0942393f1d5fd144d6f568cac

SHA512
a3267b708f354f6586cd5a9e2cc599492644213eea4cbd7fce5e67660bb2f083d0b6f9045a9077ffb3b8ab55866400de2316297d590a8b959ac2c0e275fb4b97

Download Submit
memory/2996-142-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/3900-148-0x0000000002D30000-0x0000000002D76000-memory.dmp

Filesize
280KB

Download
memory/3900-149-0x0000000007100000-0x000000000713C000-memory.dmp

Filesize
240KB

Download
memory/3900-150-0x0000000007220000-0x000000000771E000-memory.dmp

Filesize
5.0MB

Download
memory/3900-151-0x0000000007180000-0x00000000071BA000-memory.dmp

Filesize
232KB

Download
memory/3900-152-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-153-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-155-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-157-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-159-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-161-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-163-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-165-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-167-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-169-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/3900-170-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/3900-171-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-174-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-172-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/3900-176-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-178-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-180-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-182-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-184-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-186-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-188-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-190-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-192-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-194-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-196-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-198-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-200-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-202-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-204-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-206-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-208-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-210-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-212-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-214-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-216-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-218-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3900-947-0x0000000009BA0000-0x000000000A1A6000-memory.dmp

Filesize
6.0MB

Download
memory/3900-948-0x000000000A200000-0x000000000A212000-memory.dmp

Filesize
72KB

Download
memory/3900-949-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/3900-950-0x000000000A390000-0x000000000A3CE000-memory.dmp

Filesize
248KB

Download
memory/3900-951-0x000000000A4D0000-0x000000000A51B000-memory.dmp

Filesize
300KB

Download
memory/3900-952-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/3900-953-0x000000000A660000-0x000000000A6C6000-memory.dmp

Filesize
408KB

Download
memory/3900-954-0x000000000AD20000-0x000000000ADB2000-memory.dmp

Filesize
584KB

Download
memory/3900-955-0x000000000ADC0000-0x000000000AE36000-memory.dmp

Filesize
472KB

Download
memory/3900-956-0x000000000AE70000-0x000000000AE8E000-memory.dmp

Filesize
120KB

Download
memory/3900-957-0x000000000B050000-0x000000000B212000-memory.dmp

Filesize
1.8MB

Download
memory/3900-958-0x000000000B220000-0x000000000B74C000-memory.dmp

Filesize
5.2MB

Download
memory/3900-959-0x0000000004980000-0x00000000049D0000-memory.dmp

Filesize
320KB

Download