72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8

Analysis

max time kernel
59s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 22:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe
Size

694KB
MD5

2f96d15c62688b1c75a5f8d4a9d8e02a
SHA1

725d7fc70afa05d6b13cd50920655e372d130c10
SHA256

72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8
SHA512

05588a6c12d34e0c426c3fe542926ab3d939cd33af5c18652c25e9ae21d50e2d9bb97db80580021161c713b8c49a66443968d31b785c19c35ed38d912552ed1a
SSDEEP

12288:Fy90kNG3s54kwsZQhWLEfofDhs0T7DAvatxIBt+kFR+jT:FyXNbikVZb48cgqrNR+jT

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr447060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr447060.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr447060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr447060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr447060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr447060.exe

Executes dropped EXE 4 IoCs

pid	Process
224	un151862.exe
3572	pr447060.exe
4440	qu246937.exe
3096	si877513.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr447060.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr447060.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un151862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un151862.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4856	3572	WerFault.exe	85
1736	4440	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3572	pr447060.exe
3572	pr447060.exe
4440	qu246937.exe
4440	qu246937.exe
3096	si877513.exe
3096	si877513.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	pr447060.exe
Token: SeDebugPrivilege	4440	qu246937.exe
Token: SeDebugPrivilege	3096	si877513.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 224	4932	72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe	84
PID 4932 wrote to memory of 224	4932	72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe	84
PID 4932 wrote to memory of 224	4932	72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe	84
PID 224 wrote to memory of 3572	224	un151862.exe	85
PID 224 wrote to memory of 3572	224	un151862.exe	85
PID 224 wrote to memory of 3572	224	un151862.exe	85
PID 224 wrote to memory of 4440	224	un151862.exe	88
PID 224 wrote to memory of 4440	224	un151862.exe	88
PID 224 wrote to memory of 4440	224	un151862.exe	88
PID 4932 wrote to memory of 3096	4932	72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe	91
PID 4932 wrote to memory of 3096	4932	72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe	91
PID 4932 wrote to memory of 3096	4932	72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe	91

C:\Users\Admin\AppData\Local\Temp\72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe
"C:\Users\Admin\AppData\Local\Temp\72ac18a553e67f4c413e5619bfd3a7cbcd592989015e078acb1d0ea0fd9a62d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un151862.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un151862.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr447060.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr447060.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1084
      4⤵
      Program crash
      PID:4856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu246937.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu246937.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1320
      4⤵
      Program crash
      PID:1736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si877513.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si877513.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3572 -ip 3572
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4440 -ip 4440
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si877513.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si877513.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un151862.exe

Filesize
540KB

MD5
6541722690523b72f62b141ea533e033

SHA1
d1eb67ab9ab87369ec9d7dd1b515d88330952309

SHA256
fa01128ad7c842e6dd1756dc9adfbb3178ee7766b101824c63703eeca1f70730

SHA512
9465d6372b1b320dc8583e21fd90bb13365e91ff68fba6258925a2a38438b50b8e3c6fb0a25057268355795cc45020358406a6f8ef9960ac9ea3e437347916fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un151862.exe

Filesize
540KB

MD5
6541722690523b72f62b141ea533e033

SHA1
d1eb67ab9ab87369ec9d7dd1b515d88330952309

SHA256
fa01128ad7c842e6dd1756dc9adfbb3178ee7766b101824c63703eeca1f70730

SHA512
9465d6372b1b320dc8583e21fd90bb13365e91ff68fba6258925a2a38438b50b8e3c6fb0a25057268355795cc45020358406a6f8ef9960ac9ea3e437347916fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr447060.exe

Filesize
278KB

MD5
aa5ead3c0b3f24a24c58a47665be7baf

SHA1
6d9dce8aac116973ea64b9eb09564e4a11588afa

SHA256
4b852df22b0942414e2fa5d79c77397d12426099a99d0dce624c96ee264b8792

SHA512
044fe7c63fbe0541001778510fc231c476f320108c18f674ea44ab6b27f7a5df7049841936d4f62f5c2398b115842fa02ede9064c445128fdc20e7eca0ed4e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr447060.exe

Filesize
278KB

MD5
aa5ead3c0b3f24a24c58a47665be7baf

SHA1
6d9dce8aac116973ea64b9eb09564e4a11588afa

SHA256
4b852df22b0942414e2fa5d79c77397d12426099a99d0dce624c96ee264b8792

SHA512
044fe7c63fbe0541001778510fc231c476f320108c18f674ea44ab6b27f7a5df7049841936d4f62f5c2398b115842fa02ede9064c445128fdc20e7eca0ed4e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu246937.exe

Filesize
361KB

MD5
4592cd3eeaeefe42aa72a20d6f068337

SHA1
e49d3fc4e20b2a0e0bac0fbf63eaa42b3f624d2d

SHA256
f454000b01eddefc4dc26d1d765322330d423026c2c6257ba3638546d7d4625c

SHA512
6446d985a5ec25eca379ff13c70b76ef76d5e3e999eb816365d9a6649e2b177ac98f6af3015d52cde4b3b5c3472fa2dc4e027fa9f4ba133da909ce3fe6f9a704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu246937.exe

Filesize
361KB

MD5
4592cd3eeaeefe42aa72a20d6f068337

SHA1
e49d3fc4e20b2a0e0bac0fbf63eaa42b3f624d2d

SHA256
f454000b01eddefc4dc26d1d765322330d423026c2c6257ba3638546d7d4625c

SHA512
6446d985a5ec25eca379ff13c70b76ef76d5e3e999eb816365d9a6649e2b177ac98f6af3015d52cde4b3b5c3472fa2dc4e027fa9f4ba133da909ce3fe6f9a704

Download Submit
memory/3096-1006-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3096-1005-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/3572-158-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-172-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-151-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-152-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-154-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-156-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-149-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3572-160-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-162-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-164-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-166-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-168-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-170-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-150-0x0000000007230000-0x00000000077D4000-memory.dmp

Filesize
5.6MB

Download
memory/3572-174-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-176-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-178-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3572-179-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3572-180-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3572-181-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/3572-182-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3572-184-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3572-185-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3572-186-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/3572-148-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/4440-191-0x0000000002BC0000-0x0000000002C06000-memory.dmp

Filesize
280KB

Download
memory/4440-192-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4440-194-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-195-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-197-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-199-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-201-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-203-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-205-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-207-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-209-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-211-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-215-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-217-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-213-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-219-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-221-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-223-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-225-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-227-0x0000000007730000-0x0000000007765000-memory.dmp

Filesize
212KB

Download
memory/4440-454-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4440-987-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/4440-988-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/4440-989-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/4440-990-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/4440-991-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4440-992-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/4440-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/4440-994-0x000000000AED0000-0x000000000AF46000-memory.dmp

Filesize
472KB

Download
memory/4440-995-0x000000000AF80000-0x000000000AF9E000-memory.dmp

Filesize
120KB

Download
memory/4440-193-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4440-996-0x000000000B0B0000-0x000000000B272000-memory.dmp

Filesize
1.8MB

Download
memory/4440-997-0x000000000B280000-0x000000000B7AC000-memory.dmp

Filesize
5.2MB

Download
memory/4440-998-0x0000000006CA0000-0x0000000006CF0000-memory.dmp

Filesize
320KB

Download