605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe
Size

707KB
MD5

31b36637e80827cf430c0323d202737f
SHA1

123fb112c406bc5dbdbf5b85a481233353418fd7
SHA256

605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1
SHA512

9c632170dec25590be43897273fedfb67c64018ffec6b14b8455012008b12e3b237f0ebc7816fbba577be90c81d9ca78046d69b6ba552b760d0feffc1232e742
SSDEEP

12288:Py90gJ2rcDxXkvUpcExP0I6G+9WiW29Iz6MHrMsu47hdr8JY8c0B0ZKZgyEMRvz:PyP5tkScE9cdtgr53r8TcWKrqA

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr011492.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr011492.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr011492.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr011492.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr011492.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr011492.exe

Executes dropped EXE 4 IoCs

pid	Process
3684	un271094.exe
2504	pr011492.exe
1912	qu891717.exe
4764	si557316.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr011492.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr011492.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un271094.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un271094.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2680	2504	WerFault.exe	83
3124	1912	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2504	pr011492.exe
2504	pr011492.exe
1912	qu891717.exe
1912	qu891717.exe
4764	si557316.exe
4764	si557316.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	pr011492.exe
Token: SeDebugPrivilege	1912	qu891717.exe
Token: SeDebugPrivilege	4764	si557316.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 3684	4360	605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe	82
PID 4360 wrote to memory of 3684	4360	605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe	82
PID 4360 wrote to memory of 3684	4360	605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe	82
PID 3684 wrote to memory of 2504	3684	un271094.exe	83
PID 3684 wrote to memory of 2504	3684	un271094.exe	83
PID 3684 wrote to memory of 2504	3684	un271094.exe	83
PID 3684 wrote to memory of 1912	3684	un271094.exe	86
PID 3684 wrote to memory of 1912	3684	un271094.exe	86
PID 3684 wrote to memory of 1912	3684	un271094.exe	86
PID 4360 wrote to memory of 4764	4360	605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe	90
PID 4360 wrote to memory of 4764	4360	605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe	90
PID 4360 wrote to memory of 4764	4360	605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe	90

C:\Users\Admin\AppData\Local\Temp\605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe
"C:\Users\Admin\AppData\Local\Temp\605da560d0834c7ea00bb63a17b08aa42e82535df61f1fbfe86bb9acf2f6c2e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un271094.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un271094.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr011492.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr011492.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1084
      4⤵
      Program crash
      PID:2680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu891717.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu891717.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1332
      4⤵
      Program crash
      PID:3124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si557316.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si557316.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2504 -ip 2504
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1912 -ip 1912
1⤵
PID:3104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si557316.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si557316.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un271094.exe

Filesize
552KB

MD5
8a9bfea455d2aef35ea22499c5ba1d0b

SHA1
90500fe2e17fd6c7227434be4a01fb77d0b58310

SHA256
d27ab7fe8f53ea8c26e64f613e2881ce0c88a4398d8b6f98b78b4c01a0e24d50

SHA512
9cca6906f5af20d19f4267bb167968fac0f17371704042093236e6b0e4efac6fd25edd6d90f8c7008c243c01d0b92e00ef6bfb75dab24e0b1adcef704666de7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un271094.exe

Filesize
552KB

MD5
8a9bfea455d2aef35ea22499c5ba1d0b

SHA1
90500fe2e17fd6c7227434be4a01fb77d0b58310

SHA256
d27ab7fe8f53ea8c26e64f613e2881ce0c88a4398d8b6f98b78b4c01a0e24d50

SHA512
9cca6906f5af20d19f4267bb167968fac0f17371704042093236e6b0e4efac6fd25edd6d90f8c7008c243c01d0b92e00ef6bfb75dab24e0b1adcef704666de7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr011492.exe

Filesize
299KB

MD5
962b4965c2108196d14bf76d070eaa2b

SHA1
5a7282501b01c9d9cf6514930069591260ba6b28

SHA256
2d6b2f9f5786da74068d19e7bd69a35824626fa4aac2e93748e0a0e96932a0c0

SHA512
aa4513dea59b851a00a49b2fd46562fb4efecb7ce50a08bd059791367120402edfb6c4874bc21ed0befdc01bc2ca77327be92f23ccfe06a1e00d128dfd1c7c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr011492.exe

Filesize
299KB

MD5
962b4965c2108196d14bf76d070eaa2b

SHA1
5a7282501b01c9d9cf6514930069591260ba6b28

SHA256
2d6b2f9f5786da74068d19e7bd69a35824626fa4aac2e93748e0a0e96932a0c0

SHA512
aa4513dea59b851a00a49b2fd46562fb4efecb7ce50a08bd059791367120402edfb6c4874bc21ed0befdc01bc2ca77327be92f23ccfe06a1e00d128dfd1c7c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu891717.exe

Filesize
382KB

MD5
bbac50865b1429ab8086f8dccaab9381

SHA1
b647f23deb8f7cc947470a694dbdef6aaaeee637

SHA256
771b5fe86dd70d1730fcf5675bfcd29bd006442574c7318da8ed65849c0e3cef

SHA512
4e06601a87a68ac1f9b9af2c5ef6108a60db4b724adeed221bdfb0bee0c6dc32f60894df0df479edca23a92e2caf7abaa569c16baa8c43e0124d510242bd9120

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu891717.exe

Filesize
382KB

MD5
bbac50865b1429ab8086f8dccaab9381

SHA1
b647f23deb8f7cc947470a694dbdef6aaaeee637

SHA256
771b5fe86dd70d1730fcf5675bfcd29bd006442574c7318da8ed65849c0e3cef

SHA512
4e06601a87a68ac1f9b9af2c5ef6108a60db4b724adeed221bdfb0bee0c6dc32f60894df0df479edca23a92e2caf7abaa569c16baa8c43e0124d510242bd9120

Download Submit
memory/1912-226-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-988-0x00000000072C0000-0x00000000072D2000-memory.dmp

Filesize
72KB

Download
memory/1912-998-0x000000000B8A0000-0x000000000B8BE000-memory.dmp

Filesize
120KB

Download
memory/1912-997-0x000000000B2F0000-0x000000000B81C000-memory.dmp

Filesize
5.2MB

Download
memory/1912-996-0x000000000B120000-0x000000000B2E2000-memory.dmp

Filesize
1.8MB

Download
memory/1912-995-0x000000000B040000-0x000000000B0B6000-memory.dmp

Filesize
472KB

Download
memory/1912-994-0x000000000AFD0000-0x000000000B020000-memory.dmp

Filesize
320KB

Download
memory/1912-993-0x000000000AE30000-0x000000000AEC2000-memory.dmp

Filesize
584KB

Download
memory/1912-992-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/1912-991-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1912-990-0x0000000007300000-0x000000000733C000-memory.dmp

Filesize
240KB

Download
memory/1912-989-0x000000000A3A0000-0x000000000A4AA000-memory.dmp

Filesize
1.0MB

Download
memory/1912-987-0x0000000009D80000-0x000000000A398000-memory.dmp

Filesize
6.1MB

Download
memory/1912-228-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-224-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-222-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-220-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-218-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-216-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-214-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-212-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-210-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-208-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-191-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/1912-193-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1912-194-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-196-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-195-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1912-192-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1912-198-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-200-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-202-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-204-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/1912-206-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/2504-153-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-148-0x00000000071F0000-0x0000000007794000-memory.dmp

Filesize
5.6MB

Download
memory/2504-186-0x0000000000400000-0x0000000002BB5000-memory.dmp

Filesize
39.7MB

Download
memory/2504-184-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2504-183-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2504-182-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2504-181-0x0000000000400000-0x0000000002BB5000-memory.dmp

Filesize
39.7MB

Download
memory/2504-180-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-178-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-151-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2504-176-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-170-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-152-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2504-150-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2504-174-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-168-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-166-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-164-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-162-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-160-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-158-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-156-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-154-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2504-149-0x0000000002BC0000-0x0000000002BED000-memory.dmp

Filesize
180KB

Download
memory/2504-172-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4764-1005-0x0000000000600000-0x0000000000628000-memory.dmp

Filesize
160KB

Download
memory/4764-1006-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download