ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0

Analysis

max time kernel
101s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 22:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe
Size

695KB
MD5

4b3ce264a9a33b11f75cd5a262a80c7a
SHA1

0a6aeaba4fe8f4711f0ccd495a59b7d0d33dcd4a
SHA256

ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0
SHA512

4d8fb4459ef77f79bea00af965dacf837ac2c96dab7ba69a3c2b56e6efba61154a8079732c278931d4b578da6104c2bdae6fd4aa76de5c085d98d821a699a404
SSDEEP

12288:4y90zcDx11QEAcJDT/Y0sJcuYeTcY/6QnKshH2:4ytD1QEAu/Y01uYsHnXhW

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr441558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr441558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr441558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr441558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr441558.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr441558.exe

Executes dropped EXE 4 IoCs

pid	Process
1964	un794691.exe
4196	pr441558.exe
2720	qu173736.exe
3916	si738079.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr441558.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr441558.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un794691.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un794691.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1512	4196	WerFault.exe	83
760	2720	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4196	pr441558.exe
4196	pr441558.exe
2720	qu173736.exe
2720	qu173736.exe
3916	si738079.exe
3916	si738079.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	pr441558.exe
Token: SeDebugPrivilege	2720	qu173736.exe
Token: SeDebugPrivilege	3916	si738079.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 1964	4672	ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe	82
PID 4672 wrote to memory of 1964	4672	ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe	82
PID 4672 wrote to memory of 1964	4672	ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe	82
PID 1964 wrote to memory of 4196	1964	un794691.exe	83
PID 1964 wrote to memory of 4196	1964	un794691.exe	83
PID 1964 wrote to memory of 4196	1964	un794691.exe	83
PID 1964 wrote to memory of 2720	1964	un794691.exe	89
PID 1964 wrote to memory of 2720	1964	un794691.exe	89
PID 1964 wrote to memory of 2720	1964	un794691.exe	89
PID 4672 wrote to memory of 3916	4672	ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe	93
PID 4672 wrote to memory of 3916	4672	ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe	93
PID 4672 wrote to memory of 3916	4672	ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe	93

C:\Users\Admin\AppData\Local\Temp\ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe
"C:\Users\Admin\AppData\Local\Temp\ce938d98eced56513204182b46596bde549cfdaa30f297fbea33f941a0de7ae0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un794691.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un794691.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr441558.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr441558.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1084
      4⤵
      Program crash
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu173736.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu173736.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1852
      4⤵
      Program crash
      PID:760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si738079.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si738079.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4196 -ip 4196
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2720 -ip 2720
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si738079.exe

Filesize
136KB

MD5
8c80b06d843bd6a7599a5be2075d9a55

SHA1
caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

SHA256
e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

SHA512
cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si738079.exe

Filesize
136KB

MD5
8c80b06d843bd6a7599a5be2075d9a55

SHA1
caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

SHA256
e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

SHA512
cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un794691.exe

Filesize
541KB

MD5
562379bf20e34df2da12145ef47df7a7

SHA1
16cfb6e9479cbf172807a499808fdf9eede18050

SHA256
074b293353ce6827bfab86009c374ad6b32ff9100c782d17cf8359ae0a326741

SHA512
977fddf3a5c20f1761138c379e7903c30babbfe0e4622e18f39d0ad1e9e29b7af43bcabe2bcb61b49f586bfd27a92b2618be44ac28b6dd1ae4ba261d474fe346

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un794691.exe

Filesize
541KB

MD5
562379bf20e34df2da12145ef47df7a7

SHA1
16cfb6e9479cbf172807a499808fdf9eede18050

SHA256
074b293353ce6827bfab86009c374ad6b32ff9100c782d17cf8359ae0a326741

SHA512
977fddf3a5c20f1761138c379e7903c30babbfe0e4622e18f39d0ad1e9e29b7af43bcabe2bcb61b49f586bfd27a92b2618be44ac28b6dd1ae4ba261d474fe346

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr441558.exe

Filesize
269KB

MD5
48ce38fff1e9f0f49efb7415be6a60ae

SHA1
cb3b19be7f6cb9873c9e72d1c572e80458902fe2

SHA256
4c4a591247879f96a0d545c1c1c9712142f894de0102744a6f169d2af18e3b63

SHA512
a440b9977a554a1d0fe7979743fad953cebfb0de4e0254066aed1290d606fa50d5c523ab94bba1023e4c85d04d1500020f78918e52413fb65817e46a0804a4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr441558.exe

Filesize
269KB

MD5
48ce38fff1e9f0f49efb7415be6a60ae

SHA1
cb3b19be7f6cb9873c9e72d1c572e80458902fe2

SHA256
4c4a591247879f96a0d545c1c1c9712142f894de0102744a6f169d2af18e3b63

SHA512
a440b9977a554a1d0fe7979743fad953cebfb0de4e0254066aed1290d606fa50d5c523ab94bba1023e4c85d04d1500020f78918e52413fb65817e46a0804a4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu173736.exe

Filesize
351KB

MD5
db4dcba082317813631a8d5f7700a948

SHA1
eecd2db13f72b8537524a1b963f1c03d0d04ebdc

SHA256
4a31107b43aae3a4856ce3d91ba0bb678e4639c64fe12e61b7836af4e01dbdcf

SHA512
306a0b4d23c541e042d0d01fdc6cdffe33a275701476396b499e02c79917e9a55d2396ead964b07f0fd454d1bbbe66362d5f9c9ac92b5caa6683b2418216736e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu173736.exe

Filesize
351KB

MD5
db4dcba082317813631a8d5f7700a948

SHA1
eecd2db13f72b8537524a1b963f1c03d0d04ebdc

SHA256
4a31107b43aae3a4856ce3d91ba0bb678e4639c64fe12e61b7836af4e01dbdcf

SHA512
306a0b4d23c541e042d0d01fdc6cdffe33a275701476396b499e02c79917e9a55d2396ead964b07f0fd454d1bbbe66362d5f9c9ac92b5caa6683b2418216736e

Download Submit
memory/2720-226-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-988-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/2720-998-0x000000000B3E0000-0x000000000B90C000-memory.dmp

Filesize
5.2MB

Download
memory/2720-997-0x000000000B210000-0x000000000B3D2000-memory.dmp

Filesize
1.8MB

Download
memory/2720-996-0x000000000B0F0000-0x000000000B10E000-memory.dmp

Filesize
120KB

Download
memory/2720-995-0x000000000B040000-0x000000000B0B6000-memory.dmp

Filesize
472KB

Download
memory/2720-994-0x000000000AFE0000-0x000000000B030000-memory.dmp

Filesize
320KB

Download
memory/2720-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/2720-992-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/2720-991-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/2720-990-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/2720-989-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/2720-987-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

Filesize
6.1MB

Download
memory/2720-228-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-224-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-222-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-220-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-214-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-218-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-216-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-207-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-211-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/2720-212-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-192-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-194-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-191-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-196-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-198-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-200-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-202-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-204-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/2720-206-0x0000000002CE0000-0x0000000002D26000-memory.dmp

Filesize
280KB

Download
memory/2720-208-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/2720-209-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/3916-1005-0x00000000009E0000-0x0000000000A08000-memory.dmp

Filesize
160KB

Download
memory/3916-1006-0x0000000007770000-0x0000000007780000-memory.dmp

Filesize
64KB

Download
memory/4196-153-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-149-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/4196-183-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4196-182-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4196-181-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4196-180-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-178-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-150-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4196-176-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-174-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-151-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4196-172-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-184-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4196-164-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-170-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-166-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-162-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-160-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-158-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-156-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-154-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-168-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4196-148-0x0000000007250000-0x00000000077F4000-memory.dmp

Filesize
5.6MB

Download
memory/4196-186-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4196-152-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download