b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d

Analysis

max time kernel
49s
max time network
56s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22/04/2023, 05:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe
Size

706KB
MD5

0ede40cfe90fa34def1c13f44675fc01
SHA1

6cd7442c935f9beff8ec2e206d918d9bfcb3bd80
SHA256

b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d
SHA512

fa4ee80787a7c97c2d89e7d036b2920309df9bb95d728880c4fbb9cb3114dbe85be613ee6a596dcdc037bb02135a0d5245aa220e5b0b2f6a4966d33d0342a883
SSDEEP

12288:1y90kzSmfnnumQhLsdvB4WxQOdrVJY8c0upZ/ozIv:1yTSmfnnuV6iW5rVTchYK

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr375671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr375671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr375671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr375671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr375671.exe

Executes dropped EXE 4 IoCs

pid	Process
2248	un852075.exe
2600	pr375671.exe
3932	qu767504.exe
1472	si404735.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr375671.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr375671.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un852075.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un852075.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2600	pr375671.exe
2600	pr375671.exe
3932	qu767504.exe
3932	qu767504.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	pr375671.exe
Token: SeDebugPrivilege	3932	qu767504.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2248	2072	b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe	66
PID 2072 wrote to memory of 2248	2072	b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe	66
PID 2072 wrote to memory of 2248	2072	b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe	66
PID 2248 wrote to memory of 2600	2248	un852075.exe	67
PID 2248 wrote to memory of 2600	2248	un852075.exe	67
PID 2248 wrote to memory of 2600	2248	un852075.exe	67
PID 2248 wrote to memory of 3932	2248	un852075.exe	68
PID 2248 wrote to memory of 3932	2248	un852075.exe	68
PID 2248 wrote to memory of 3932	2248	un852075.exe	68
PID 2072 wrote to memory of 1472	2072	b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe	70
PID 2072 wrote to memory of 1472	2072	b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe	70
PID 2072 wrote to memory of 1472	2072	b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe	70

C:\Users\Admin\AppData\Local\Temp\b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe
"C:\Users\Admin\AppData\Local\Temp\b3bc0fb73f079870a31764eb3769013bd656cc867bbaa6bab0a047dc2320ad2d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un852075.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un852075.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr375671.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr375671.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu767504.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu767504.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si404735.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si404735.exe
  2⤵
  - Executes dropped EXE
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si404735.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un852075.exe

Filesize
552KB

MD5
76c56f9b877686ba53f58d2be484fbaa

SHA1
7eb13b75944636542548cd4dbe39158c5b964db3

SHA256
4d515de51b0ecc041e19ae714b3cf441e35dd1da20ee01b6d3fb36cc4e8a48b5

SHA512
d6f1143f49803e5f925095986fa9e200c3beecc930609ea79537003a13b6a1ba34d8820306d7a9b047fe91103456606ac50c82097b9d0412618895db61805742

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un852075.exe

Filesize
552KB

MD5
76c56f9b877686ba53f58d2be484fbaa

SHA1
7eb13b75944636542548cd4dbe39158c5b964db3

SHA256
4d515de51b0ecc041e19ae714b3cf441e35dd1da20ee01b6d3fb36cc4e8a48b5

SHA512
d6f1143f49803e5f925095986fa9e200c3beecc930609ea79537003a13b6a1ba34d8820306d7a9b047fe91103456606ac50c82097b9d0412618895db61805742

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr375671.exe

Filesize
299KB

MD5
287d33547688f606a5e6c0f5f2ee07fa

SHA1
a392c163e829a3a4f3b2237fde1131bdc33cbedf

SHA256
3bbdb71a692d23359e2e59cb533520bd0199f13ff421a7d37dfba92f2a8896a9

SHA512
779f517f565a41554b79a6b759b3ae741f37a87d56361264de1062bb4151be9719ac8dce28f30bc22c44fb10a9ddceb689856b378a17d058ba07a67425e63111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr375671.exe

Filesize
299KB

MD5
287d33547688f606a5e6c0f5f2ee07fa

SHA1
a392c163e829a3a4f3b2237fde1131bdc33cbedf

SHA256
3bbdb71a692d23359e2e59cb533520bd0199f13ff421a7d37dfba92f2a8896a9

SHA512
779f517f565a41554b79a6b759b3ae741f37a87d56361264de1062bb4151be9719ac8dce28f30bc22c44fb10a9ddceb689856b378a17d058ba07a67425e63111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu767504.exe

Filesize
382KB

MD5
bcea22891e90238e8852908228cfcbd4

SHA1
983766f3d8d65bdd92d860055e6ee6a575504b2f

SHA256
da1839e11ae4f296eb446a4d3cb8c3067f9ef9b5e390754fdd473ea40884aaf8

SHA512
8ce688ef2a5c83e80f0f50f123ba887a4c2a56c3997fcc0bb789d79a36498efddfe1dd72b6a95055a6242b93f8885520e9ee7f47d463804570dfb75dc658f2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu767504.exe

Filesize
382KB

MD5
bcea22891e90238e8852908228cfcbd4

SHA1
983766f3d8d65bdd92d860055e6ee6a575504b2f

SHA256
da1839e11ae4f296eb446a4d3cb8c3067f9ef9b5e390754fdd473ea40884aaf8

SHA512
8ce688ef2a5c83e80f0f50f123ba887a4c2a56c3997fcc0bb789d79a36498efddfe1dd72b6a95055a6242b93f8885520e9ee7f47d463804570dfb75dc658f2ed

Download Submit
memory/2600-136-0x0000000002E00000-0x0000000002E1A000-memory.dmp

Filesize
104KB

Download
memory/2600-137-0x0000000007280000-0x000000000777E000-memory.dmp

Filesize
5.0MB

Download
memory/2600-138-0x0000000004840000-0x0000000004858000-memory.dmp

Filesize
96KB

Download
memory/2600-139-0x0000000002C90000-0x0000000002CBD000-memory.dmp

Filesize
180KB

Download
memory/2600-140-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2600-141-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2600-142-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2600-143-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-144-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-148-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-146-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-150-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-152-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-154-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-156-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-158-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-162-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-160-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-164-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-166-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-170-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-168-0x0000000004840000-0x0000000004852000-memory.dmp

Filesize
72KB

Download
memory/2600-171-0x0000000000400000-0x0000000002BB5000-memory.dmp

Filesize
39.7MB

Download
memory/2600-172-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2600-173-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2600-174-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2600-176-0x0000000000400000-0x0000000002BB5000-memory.dmp

Filesize
39.7MB

Download
memory/3932-181-0x0000000004B40000-0x0000000004B7C000-memory.dmp

Filesize
240KB

Download
memory/3932-182-0x00000000076A0000-0x00000000076DA000-memory.dmp

Filesize
232KB

Download
memory/3932-183-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-184-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-186-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-188-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-190-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-192-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-194-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-196-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-198-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-200-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-202-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-204-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-206-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-208-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-210-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-212-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-213-0x0000000002CC0000-0x0000000002D06000-memory.dmp

Filesize
280KB

Download
memory/3932-216-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-215-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/3932-217-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/3932-219-0x00000000076A0000-0x00000000076D5000-memory.dmp

Filesize
212KB

Download
memory/3932-978-0x0000000009BA0000-0x000000000A1A6000-memory.dmp

Filesize
6.0MB

Download
memory/3932-979-0x000000000A210000-0x000000000A222000-memory.dmp

Filesize
72KB

Download
memory/3932-980-0x000000000A240000-0x000000000A34A000-memory.dmp

Filesize
1.0MB

Download
memory/3932-981-0x000000000A360000-0x000000000A39E000-memory.dmp

Filesize
248KB

Download
memory/3932-982-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/3932-983-0x000000000A3E0000-0x000000000A42B000-memory.dmp

Filesize
300KB

Download
memory/3932-984-0x000000000A670000-0x000000000A6D6000-memory.dmp

Filesize
408KB

Download
memory/3932-985-0x000000000AD20000-0x000000000ADB2000-memory.dmp

Filesize
584KB

Download
memory/3932-986-0x000000000ADD0000-0x000000000AE20000-memory.dmp

Filesize
320KB

Download
memory/3932-987-0x000000000AE40000-0x000000000AEB6000-memory.dmp

Filesize
472KB

Download
memory/3932-988-0x000000000AF00000-0x000000000B0C2000-memory.dmp

Filesize
1.8MB

Download
memory/3932-989-0x000000000B0E0000-0x000000000B60C000-memory.dmp

Filesize
5.2MB

Download
memory/3932-990-0x000000000B720000-0x000000000B73E000-memory.dmp

Filesize
120KB

Download