7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb

Analysis

max time kernel
52s
max time network
63s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22/04/2023, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe
Size

559KB
MD5

f768fb346f210eb3f13a4dd8d8040dca
SHA1

d3a06cb5dedc748e5b9c092b1dacda9082139433
SHA256

7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb
SHA512

974e8641b329784befc45c8130d8ea6530e7c5838eda2bfae44789933ce4a95c67c6a47e189fd2cdf19608537d72354608637ee3cf095bf09c5e8567ddc1c90d
SSDEEP

12288:6y90+v9dbEHHwHIat+vNv06uUeEca/6g5RrK/26k6:6yN96nRNTuUjGOA

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it048151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it048151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it048151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it048151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it048151.exe

Executes dropped EXE 4 IoCs

pid	Process
2592	ziGk8410.exe
2688	it048151.exe
3976	kp453654.exe
2588	lr932536.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it048151.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziGk8410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziGk8410.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2688	it048151.exe
2688	it048151.exe
3976	kp453654.exe
3976	kp453654.exe
2588	lr932536.exe
2588	lr932536.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	it048151.exe
Token: SeDebugPrivilege	3976	kp453654.exe
Token: SeDebugPrivilege	2588	lr932536.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2592	4028	7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe	66
PID 4028 wrote to memory of 2592	4028	7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe	66
PID 4028 wrote to memory of 2592	4028	7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe	66
PID 2592 wrote to memory of 2688	2592	ziGk8410.exe	67
PID 2592 wrote to memory of 2688	2592	ziGk8410.exe	67
PID 2592 wrote to memory of 3976	2592	ziGk8410.exe	68
PID 2592 wrote to memory of 3976	2592	ziGk8410.exe	68
PID 2592 wrote to memory of 3976	2592	ziGk8410.exe	68
PID 4028 wrote to memory of 2588	4028	7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe	70
PID 4028 wrote to memory of 2588	4028	7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe	70
PID 4028 wrote to memory of 2588	4028	7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe	70

C:\Users\Admin\AppData\Local\Temp\7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe
"C:\Users\Admin\AppData\Local\Temp\7619871df3379084e1d6f1e110ff93f0ea9c5e7b34212fec1bd0cee303da5bbb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk8410.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk8410.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it048151.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it048151.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp453654.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp453654.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr932536.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr932536.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr932536.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr932536.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk8410.exe

Filesize
405KB

MD5
d5c29d830b18c7fc8aa14ce86eba055a

SHA1
cdfc5aa2747660b6334a02ad0c430b0cc0199924

SHA256
160835978485cbb78afc9af9b643787d9cddfa10b6d546a9dc648cb181e4ea34

SHA512
2d9d5cd3377cf5cde14f83c9b6d77c4a9c45ab570d94c5478c663a3881457d8a663b1957832cf0a00faebf56bcbfe10c76332b6cc55157a23bd10d68d64c9ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk8410.exe

Filesize
405KB

MD5
d5c29d830b18c7fc8aa14ce86eba055a

SHA1
cdfc5aa2747660b6334a02ad0c430b0cc0199924

SHA256
160835978485cbb78afc9af9b643787d9cddfa10b6d546a9dc648cb181e4ea34

SHA512
2d9d5cd3377cf5cde14f83c9b6d77c4a9c45ab570d94c5478c663a3881457d8a663b1957832cf0a00faebf56bcbfe10c76332b6cc55157a23bd10d68d64c9ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it048151.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it048151.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp453654.exe

Filesize
351KB

MD5
3c91cda96439742fdad3ce1e59680248

SHA1
b660968e44b81f1532bb19be6bf29e778a9917e6

SHA256
fd24803b18b6eb0ae6daffdf62d14c93f0d1d88a0e3f95b62d2a85bbb01144b0

SHA512
77bfb4e7c481d0295ef4aa5f38fc9e94476df231edf4b6b8f3db7ef55fad7ce56efe3fb31d987c7d54d0c4ad49a61bfb338fb31b44e3b78618c4ee5f40a8b712

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp453654.exe

Filesize
351KB

MD5
3c91cda96439742fdad3ce1e59680248

SHA1
b660968e44b81f1532bb19be6bf29e778a9917e6

SHA256
fd24803b18b6eb0ae6daffdf62d14c93f0d1d88a0e3f95b62d2a85bbb01144b0

SHA512
77bfb4e7c481d0295ef4aa5f38fc9e94476df231edf4b6b8f3db7ef55fad7ce56efe3fb31d987c7d54d0c4ad49a61bfb338fb31b44e3b78618c4ee5f40a8b712

Download Submit
memory/2588-959-0x0000000000E10000-0x0000000000E38000-memory.dmp

Filesize
160KB

Download
memory/2588-960-0x0000000007C10000-0x0000000007C20000-memory.dmp

Filesize
64KB

Download
memory/2588-961-0x0000000007B90000-0x0000000007BDB000-memory.dmp

Filesize
300KB

Download
memory/2688-135-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/3976-175-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-189-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-143-0x0000000004BF0000-0x0000000004C2A000-memory.dmp

Filesize
232KB

Download
memory/3976-145-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3976-146-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3976-147-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3976-149-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-148-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-151-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-153-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-155-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-157-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-159-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-161-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-163-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-165-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-167-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-171-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-169-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-173-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-142-0x00000000073A0000-0x000000000789E000-memory.dmp

Filesize
5.0MB

Download
memory/3976-177-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-179-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-181-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-183-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-185-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-187-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-144-0x0000000002BD0000-0x0000000002C16000-memory.dmp

Filesize
280KB

Download
memory/3976-191-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-193-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-195-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-197-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-199-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-201-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-203-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-205-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-207-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-209-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-211-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3976-940-0x000000000A230000-0x000000000A836000-memory.dmp

Filesize
6.0MB

Download
memory/3976-941-0x0000000007370000-0x0000000007382000-memory.dmp

Filesize
72KB

Download
memory/3976-942-0x0000000009C30000-0x0000000009D3A000-memory.dmp

Filesize
1.0MB

Download
memory/3976-943-0x0000000009D50000-0x0000000009D8E000-memory.dmp

Filesize
248KB

Download
memory/3976-944-0x0000000009ED0000-0x0000000009F1B000-memory.dmp

Filesize
300KB

Download
memory/3976-945-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3976-946-0x000000000A060000-0x000000000A0C6000-memory.dmp

Filesize
408KB

Download
memory/3976-947-0x000000000AE70000-0x000000000AF02000-memory.dmp

Filesize
584KB

Download
memory/3976-948-0x000000000B010000-0x000000000B086000-memory.dmp

Filesize
472KB

Download
memory/3976-141-0x0000000004880000-0x00000000048BC000-memory.dmp

Filesize
240KB

Download
memory/3976-949-0x000000000B0D0000-0x000000000B0EE000-memory.dmp

Filesize
120KB

Download
memory/3976-950-0x000000000B170000-0x000000000B1C0000-memory.dmp

Filesize
320KB

Download
memory/3976-951-0x000000000B1E0000-0x000000000B3A2000-memory.dmp

Filesize
1.8MB

Download
memory/3976-952-0x000000000B3C0000-0x000000000B8EC000-memory.dmp

Filesize
5.2MB

Download