ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b

Analysis

max time kernel
90s
max time network
92s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22/04/2023, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe
Size

706KB
MD5

97a6a2c76e63982557bbd1ef54f0512d
SHA1

0dcc9bf8c1708e2ed92160450f0ed12e9cbdd98a
SHA256

ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b
SHA512

a99882b19cb8944de10ecd6856415c6c8f0345de6b87aee2d8b83ef276da679e8e5436231fac0165d06d4152b974ecd4b8d80396fe0b0d4e753c4157e94b74e4
SSDEEP

12288:Ky90W9+jA1m5u1CvywUpxQAhniQWxl6BA/KgrsiUjODI+J91d4t:KydGA1m40K7rpouAtUjUlJ9U

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr451184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr451184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr451184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr451184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr451184.exe

Executes dropped EXE 4 IoCs

pid	Process
4556	un078904.exe
4752	pr451184.exe
4920	qu218053.exe
4676	si037367.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr451184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr451184.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un078904.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un078904.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4752	pr451184.exe
4752	pr451184.exe
4920	qu218053.exe
4920	qu218053.exe
4676	si037367.exe
4676	si037367.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	pr451184.exe
Token: SeDebugPrivilege	4920	qu218053.exe
Token: SeDebugPrivilege	4676	si037367.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4556	4188	ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe	66
PID 4188 wrote to memory of 4556	4188	ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe	66
PID 4188 wrote to memory of 4556	4188	ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe	66
PID 4556 wrote to memory of 4752	4556	un078904.exe	67
PID 4556 wrote to memory of 4752	4556	un078904.exe	67
PID 4556 wrote to memory of 4752	4556	un078904.exe	67
PID 4556 wrote to memory of 4920	4556	un078904.exe	68
PID 4556 wrote to memory of 4920	4556	un078904.exe	68
PID 4556 wrote to memory of 4920	4556	un078904.exe	68
PID 4188 wrote to memory of 4676	4188	ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe	70
PID 4188 wrote to memory of 4676	4188	ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe	70
PID 4188 wrote to memory of 4676	4188	ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe	70

C:\Users\Admin\AppData\Local\Temp\ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe
"C:\Users\Admin\AppData\Local\Temp\ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078904.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078904.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451184.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451184.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu218053.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu218053.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si037367.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si037367.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si037367.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si037367.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078904.exe

Filesize
552KB

MD5
81096fff0176cc375180989883138502

SHA1
65bcb1fe813370662cf126fc8bd1bc77b706b794

SHA256
c6601a79b324a949e5930ca81af1ea35226fd32953209494f57410eeb07b2672

SHA512
85b01bdcd0ad28f96df4fa7db1380c046a37495bda7cabc083092b19e79725a623c167caf62b88f184e5f1af3291b75ca3de4765670c3e21d4e0933324c15b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078904.exe

Filesize
552KB

MD5
81096fff0176cc375180989883138502

SHA1
65bcb1fe813370662cf126fc8bd1bc77b706b794

SHA256
c6601a79b324a949e5930ca81af1ea35226fd32953209494f57410eeb07b2672

SHA512
85b01bdcd0ad28f96df4fa7db1380c046a37495bda7cabc083092b19e79725a623c167caf62b88f184e5f1af3291b75ca3de4765670c3e21d4e0933324c15b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451184.exe

Filesize
299KB

MD5
9d1376936d0f0a91bb25fd6ab4e252ad

SHA1
097ba0e42627708765b40f6716aa7670ec40ed65

SHA256
da601ede82012ec6239e0c0d480a70c4f6e3c50ec67ad070621e8c8c5cacd540

SHA512
8694e3799ac6c5606a8bc361fc437cc3df189b6c88d6a301a9b693f736121248738be1f808689e1453852fcfdd80822647d373124908613835df94f84c17d789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451184.exe

Filesize
299KB

MD5
9d1376936d0f0a91bb25fd6ab4e252ad

SHA1
097ba0e42627708765b40f6716aa7670ec40ed65

SHA256
da601ede82012ec6239e0c0d480a70c4f6e3c50ec67ad070621e8c8c5cacd540

SHA512
8694e3799ac6c5606a8bc361fc437cc3df189b6c88d6a301a9b693f736121248738be1f808689e1453852fcfdd80822647d373124908613835df94f84c17d789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu218053.exe

Filesize
381KB

MD5
8e9c06501f11808e0d413cc6be8d19a1

SHA1
3308487f02d2d54ecbe59fbbf23e65341fd0d623

SHA256
f2508a79c1ec8c9b09dfca5d5340bd2bf77a0224f0fa95ff744d2098f7be33e5

SHA512
2d2c3e4cef54b697f99c7719029e6d4945e8953c925f09d8c498cd92cf566ff909f804537f716951a6630e23eca87502e9e77e77722cdcf64f90beabb34ba775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu218053.exe

Filesize
381KB

MD5
8e9c06501f11808e0d413cc6be8d19a1

SHA1
3308487f02d2d54ecbe59fbbf23e65341fd0d623

SHA256
f2508a79c1ec8c9b09dfca5d5340bd2bf77a0224f0fa95ff744d2098f7be33e5

SHA512
2d2c3e4cef54b697f99c7719029e6d4945e8953c925f09d8c498cd92cf566ff909f804537f716951a6630e23eca87502e9e77e77722cdcf64f90beabb34ba775

Download Submit
memory/4676-997-0x00000000072B0000-0x00000000072FB000-memory.dmp

Filesize
300KB

Download
memory/4676-996-0x0000000000530000-0x0000000000558000-memory.dmp

Filesize
160KB

Download
memory/4676-998-0x00000000075F0000-0x0000000007600000-memory.dmp

Filesize
64KB

Download
memory/4752-148-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-160-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-139-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-140-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-144-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-142-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-146-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-137-0x00000000071E0000-0x00000000076DE000-memory.dmp

Filesize
5.0MB

Download
memory/4752-150-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-152-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-154-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-156-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-158-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-138-0x0000000004C90000-0x0000000004CA8000-memory.dmp

Filesize
96KB

Download
memory/4752-162-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-164-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-166-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4752-167-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4752-168-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4752-169-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4752-170-0x0000000000400000-0x0000000002BB4000-memory.dmp

Filesize
39.7MB

Download
memory/4752-172-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4752-173-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4752-174-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4752-175-0x0000000000400000-0x0000000002BB4000-memory.dmp

Filesize
39.7MB

Download
memory/4752-136-0x0000000004AE0000-0x0000000004AFA000-memory.dmp

Filesize
104KB

Download
memory/4752-135-0x0000000002C90000-0x0000000002CBD000-memory.dmp

Filesize
180KB

Download
memory/4920-180-0x0000000004910000-0x000000000494C000-memory.dmp

Filesize
240KB

Download
memory/4920-183-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-185-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-186-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4920-188-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4920-189-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-184-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4920-191-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-193-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-195-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-197-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-199-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-201-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-203-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-205-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-207-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-209-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-211-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-213-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-215-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-217-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-219-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4920-978-0x0000000009B90000-0x000000000A196000-memory.dmp

Filesize
6.0MB

Download
memory/4920-979-0x000000000A210000-0x000000000A222000-memory.dmp

Filesize
72KB

Download
memory/4920-980-0x000000000A240000-0x000000000A34A000-memory.dmp

Filesize
1.0MB

Download
memory/4920-981-0x000000000A360000-0x000000000A39E000-memory.dmp

Filesize
248KB

Download
memory/4920-982-0x000000000A4E0000-0x000000000A52B000-memory.dmp

Filesize
300KB

Download
memory/4920-983-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4920-984-0x000000000A670000-0x000000000A6D6000-memory.dmp

Filesize
408KB

Download
memory/4920-985-0x000000000AD30000-0x000000000ADC2000-memory.dmp

Filesize
584KB

Download
memory/4920-986-0x000000000ADF0000-0x000000000AE66000-memory.dmp

Filesize
472KB

Download
memory/4920-987-0x000000000AEB0000-0x000000000B072000-memory.dmp

Filesize
1.8MB

Download
memory/4920-182-0x0000000002BD0000-0x0000000002C16000-memory.dmp

Filesize
280KB

Download
memory/4920-181-0x0000000004D20000-0x0000000004D5A000-memory.dmp

Filesize
232KB

Download
memory/4920-988-0x000000000B090000-0x000000000B5BC000-memory.dmp

Filesize
5.2MB

Download
memory/4920-989-0x000000000B6D0000-0x000000000B6EE000-memory.dmp

Filesize
120KB

Download
memory/4920-990-0x00000000046E0000-0x0000000004730000-memory.dmp

Filesize
320KB

Download