f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6

Analysis

max time kernel
53s
max time network
66s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-04-2023 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe
Size

694KB
MD5

bc9a30b6186b9a3c1481a8ff96507be7
SHA1

7247fa2352ec1e285c355cd9fcf0296cda8344d0
SHA256

f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6
SHA512

2f8c7bed09f39b5da5f3849b0dbe812d560ad891fb4bbf175865d74cade5560246639d1144cdc655362201130bcff08799ac53cfa5803cebf6dac8a11d17f302
SSDEEP

12288:Xy90StO6rmPgTPWk1LmsWQhGowyy+DUZjiPaydT7Do7aGxPBlHANUudt:XyDmPg7J1DWBzyy+QViPa0UTB3R8t

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr359786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr359786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr359786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr359786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr359786.exe

Executes dropped EXE 4 IoCs

pid	Process
2548	un595671.exe
3004	pr359786.exe
3736	qu724317.exe
2500	si616916.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr359786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr359786.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un595671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un595671.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3004	pr359786.exe
3004	pr359786.exe
3736	qu724317.exe
3736	qu724317.exe
2500	si616916.exe
2500	si616916.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	pr359786.exe
Token: SeDebugPrivilege	3736	qu724317.exe
Token: SeDebugPrivilege	2500	si616916.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2548	2488	f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe	66
PID 2488 wrote to memory of 2548	2488	f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe	66
PID 2488 wrote to memory of 2548	2488	f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe	66
PID 2548 wrote to memory of 3004	2548	un595671.exe	67
PID 2548 wrote to memory of 3004	2548	un595671.exe	67
PID 2548 wrote to memory of 3004	2548	un595671.exe	67
PID 2548 wrote to memory of 3736	2548	un595671.exe	68
PID 2548 wrote to memory of 3736	2548	un595671.exe	68
PID 2548 wrote to memory of 3736	2548	un595671.exe	68
PID 2488 wrote to memory of 2500	2488	f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe	70
PID 2488 wrote to memory of 2500	2488	f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe	70
PID 2488 wrote to memory of 2500	2488	f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe	70

C:\Users\Admin\AppData\Local\Temp\f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe
"C:\Users\Admin\AppData\Local\Temp\f3a94dcdfe99ecbe3b07ad45a24581852ea6c47e503aa3b5fd9f4148e47fd4e6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un595671.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un595671.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr359786.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr359786.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu724317.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu724317.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si616916.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si616916.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si616916.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si616916.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un595671.exe

Filesize
540KB

MD5
1554633d8f9f9b71aba281378af5ec02

SHA1
0cc642ea7341970e92b6e1bf8b94c43d10ae9e06

SHA256
2aa0429022aa6aec05fe036e40057317f3c2a3955ba47ba5b4f279c4d8d4f414

SHA512
e2b6e8e1d6c9c29920e6fd32eaa48dbb21ca1c70a632f86022d82008830fa29a9d64c06aee3ef512bb52953a4e9fd3fdadb85a49eaf19905196b6735148fb2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un595671.exe

Filesize
540KB

MD5
1554633d8f9f9b71aba281378af5ec02

SHA1
0cc642ea7341970e92b6e1bf8b94c43d10ae9e06

SHA256
2aa0429022aa6aec05fe036e40057317f3c2a3955ba47ba5b4f279c4d8d4f414

SHA512
e2b6e8e1d6c9c29920e6fd32eaa48dbb21ca1c70a632f86022d82008830fa29a9d64c06aee3ef512bb52953a4e9fd3fdadb85a49eaf19905196b6735148fb2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr359786.exe

Filesize
278KB

MD5
b3d7295070307987bd012cc80660ca2b

SHA1
84e53117a82e7d0035ef91559003ed6e0463c9af

SHA256
752e5430e09e4c4abacd4572ecb4bdf37687a0834bca954c76cbee4a24bac3b8

SHA512
3a7f412fe5e825b422c22d9540a85db9acd754465b8d62378ca29846721ba459c86a7d0ae167c0ac454fd34e7137461a2e5cc04039e994c8b6532b661d3e604e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr359786.exe

Filesize
278KB

MD5
b3d7295070307987bd012cc80660ca2b

SHA1
84e53117a82e7d0035ef91559003ed6e0463c9af

SHA256
752e5430e09e4c4abacd4572ecb4bdf37687a0834bca954c76cbee4a24bac3b8

SHA512
3a7f412fe5e825b422c22d9540a85db9acd754465b8d62378ca29846721ba459c86a7d0ae167c0ac454fd34e7137461a2e5cc04039e994c8b6532b661d3e604e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu724317.exe

Filesize
361KB

MD5
e0c845e7b997ab5449c3dcb56be5288c

SHA1
4c8ac6273a79f9f66e602793b9233b5c6aa128c9

SHA256
98769d95777f536087e749d3ca083a82e0ed25607eeb215b46d9756874227393

SHA512
734a36a3d0fd8d37a5416bd466f2e53261e8ca3593d8d43221a41093cfa3811947ae54fb59ed445532ce36a0fb2c05aafd679e71bd1f18493ba25d0029bf43b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu724317.exe

Filesize
361KB

MD5
e0c845e7b997ab5449c3dcb56be5288c

SHA1
4c8ac6273a79f9f66e602793b9233b5c6aa128c9

SHA256
98769d95777f536087e749d3ca083a82e0ed25607eeb215b46d9756874227393

SHA512
734a36a3d0fd8d37a5416bd466f2e53261e8ca3593d8d43221a41093cfa3811947ae54fb59ed445532ce36a0fb2c05aafd679e71bd1f18493ba25d0029bf43b5

Download Submit
memory/2500-994-0x0000000000A20000-0x0000000000A48000-memory.dmp

Filesize
160KB

Download
memory/2500-995-0x00000000077A0000-0x00000000077EB000-memory.dmp

Filesize
300KB

Download
memory/2500-996-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

Filesize
64KB

Download
memory/3004-143-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-155-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-140-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/3004-141-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/3004-142-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-138-0x0000000004C90000-0x0000000004CA8000-memory.dmp

Filesize
96KB

Download
memory/3004-145-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-147-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-149-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-151-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-153-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3004-157-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-159-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-161-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-163-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-165-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-167-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-169-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3004-170-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/3004-172-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/3004-137-0x0000000007120000-0x000000000761E000-memory.dmp

Filesize
5.0MB

Download
memory/3004-136-0x0000000004BF0000-0x0000000004C0A000-memory.dmp

Filesize
104KB

Download
memory/3736-179-0x0000000004C00000-0x0000000004C3A000-memory.dmp

Filesize
232KB

Download
memory/3736-434-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/3736-181-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-183-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-187-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-185-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-189-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-191-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-193-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-195-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-199-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-201-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-197-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-203-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-205-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-213-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-211-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-209-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-207-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-180-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3736-436-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/3736-438-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/3736-975-0x0000000009B80000-0x000000000A186000-memory.dmp

Filesize
6.0MB

Download
memory/3736-976-0x000000000A200000-0x000000000A212000-memory.dmp

Filesize
72KB

Download
memory/3736-977-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/3736-978-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/3736-979-0x000000000A350000-0x000000000A38E000-memory.dmp

Filesize
248KB

Download
memory/3736-980-0x000000000A3D0000-0x000000000A41B000-memory.dmp

Filesize
300KB

Download
memory/3736-981-0x000000000A660000-0x000000000A6C6000-memory.dmp

Filesize
408KB

Download
memory/3736-982-0x000000000AD10000-0x000000000ADA2000-memory.dmp

Filesize
584KB

Download
memory/3736-983-0x000000000ADC0000-0x000000000AE10000-memory.dmp

Filesize
320KB

Download
memory/3736-984-0x000000000AE30000-0x000000000AEA6000-memory.dmp

Filesize
472KB

Download
memory/3736-178-0x0000000004A40000-0x0000000004A7C000-memory.dmp

Filesize
240KB

Download
memory/3736-177-0x0000000002CD0000-0x0000000002D16000-memory.dmp

Filesize
280KB

Download
memory/3736-985-0x000000000AFF0000-0x000000000B1B2000-memory.dmp

Filesize
1.8MB

Download
memory/3736-986-0x000000000B1D0000-0x000000000B6FC000-memory.dmp

Filesize
5.2MB

Download
memory/3736-987-0x000000000B820000-0x000000000B83E000-memory.dmp

Filesize
120KB

Download