8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e

Analysis

max time kernel
86s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2023 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe
Size

707KB
MD5

79ceee9146157af3e7100d0911f96dbd
SHA1

e001cbc165728b029e335b174f3b9a0f2a41d6ed
SHA256

8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e
SHA512

4c5269e216a3471ac0efd482f2af93a2ed3a1fe8ac558870a79049ee459f4116801453b3a196bbdf74ac0a37bd81fa252cb3b75481e20b98083af587be00e576
SSDEEP

12288:yy90gWSCOiNs1l5Rcy9J1lKBgc4278P/m4JxNndJYmuOoztpMW0pf04fW:yyUFNs17RcyBlCi/mq1dJluOo3bkf0OW

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr024514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr024514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr024514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr024514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr024514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr024514.exe

Executes dropped EXE 4 IoCs

pid	Process
1168	un124744.exe
644	pr024514.exe
3300	qu912347.exe
3516	si591633.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr024514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr024514.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un124744.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un124744.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4164	644	WerFault.exe	85
1020	3300	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
644	pr024514.exe
644	pr024514.exe
3300	qu912347.exe
3300	qu912347.exe
3516	si591633.exe
3516	si591633.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	pr024514.exe
Token: SeDebugPrivilege	3300	qu912347.exe
Token: SeDebugPrivilege	3516	si591633.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1168	2128	8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe	84
PID 2128 wrote to memory of 1168	2128	8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe	84
PID 2128 wrote to memory of 1168	2128	8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe	84
PID 1168 wrote to memory of 644	1168	un124744.exe	85
PID 1168 wrote to memory of 644	1168	un124744.exe	85
PID 1168 wrote to memory of 644	1168	un124744.exe	85
PID 1168 wrote to memory of 3300	1168	un124744.exe	91
PID 1168 wrote to memory of 3300	1168	un124744.exe	91
PID 1168 wrote to memory of 3300	1168	un124744.exe	91
PID 2128 wrote to memory of 3516	2128	8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe	94
PID 2128 wrote to memory of 3516	2128	8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe	94
PID 2128 wrote to memory of 3516	2128	8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe	94

C:\Users\Admin\AppData\Local\Temp\8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe
"C:\Users\Admin\AppData\Local\Temp\8bb999f92a8d56243ac6a0d8009dffc7fb52dcc63e386f70c9b10d566bb17d7e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un124744.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un124744.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr024514.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr024514.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1080
      4⤵
      Program crash
      PID:4164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu912347.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu912347.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1336
      4⤵
      Program crash
      PID:1020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si591633.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si591633.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 644 -ip 644
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3300 -ip 3300
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si591633.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si591633.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un124744.exe

Filesize
552KB

MD5
a60c666588fb60b8250e383827dce11d

SHA1
e0199d674c953591e728ddf8c9c43c08ceeb85de

SHA256
d858fd2ff0cc6f7ae2f30d58fb670b4ce8814b720a920dbff13bd8e2f5a0b5eb

SHA512
489f3eaa901ffe9426244ee80db8f0996c126b3a213ee927670e2bd0dc22f8feb20f13c2d49ce0bb56228480ab4ad1a9872ae142b90a8a20762be6769cdd5fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un124744.exe

Filesize
552KB

MD5
a60c666588fb60b8250e383827dce11d

SHA1
e0199d674c953591e728ddf8c9c43c08ceeb85de

SHA256
d858fd2ff0cc6f7ae2f30d58fb670b4ce8814b720a920dbff13bd8e2f5a0b5eb

SHA512
489f3eaa901ffe9426244ee80db8f0996c126b3a213ee927670e2bd0dc22f8feb20f13c2d49ce0bb56228480ab4ad1a9872ae142b90a8a20762be6769cdd5fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr024514.exe

Filesize
299KB

MD5
d5b6c33f8d4e9dbb519bb7f64b9fb1bb

SHA1
499fd93bf90b6d956c9089fe5d55ee9b954f9c19

SHA256
e345854b44e21b265a8a35afc1d2712b67551ba4e626469e617307ae887e6f99

SHA512
8dcd3c0d5a4e0ed9e2e6ec7b8bae8eee416d6adb494ebf0d8cfc3a84a44da1f51f7f062ab32eac369691d11d0c6537ce25b32469c105eb5bd28dacb720c712bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr024514.exe

Filesize
299KB

MD5
d5b6c33f8d4e9dbb519bb7f64b9fb1bb

SHA1
499fd93bf90b6d956c9089fe5d55ee9b954f9c19

SHA256
e345854b44e21b265a8a35afc1d2712b67551ba4e626469e617307ae887e6f99

SHA512
8dcd3c0d5a4e0ed9e2e6ec7b8bae8eee416d6adb494ebf0d8cfc3a84a44da1f51f7f062ab32eac369691d11d0c6537ce25b32469c105eb5bd28dacb720c712bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu912347.exe

Filesize
381KB

MD5
5913d70b194959fe1753e1035189b321

SHA1
f7a7765bf4ae3e5fe5110f4d882e67ea7590cf0d

SHA256
7025f4a64c4286906d31aa44bd3c841375afe679cec5a28557c2887b40c3968b

SHA512
7b55cde8b59a262a9d42f85024b10d1d5efa3ca0a1327ff23d3eafa56e71be8741d5b012b455443503a30d8abd43c90cd5f243948c2324c23ca48d3db6874b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu912347.exe

Filesize
381KB

MD5
5913d70b194959fe1753e1035189b321

SHA1
f7a7765bf4ae3e5fe5110f4d882e67ea7590cf0d

SHA256
7025f4a64c4286906d31aa44bd3c841375afe679cec5a28557c2887b40c3968b

SHA512
7b55cde8b59a262a9d42f85024b10d1d5efa3ca0a1327ff23d3eafa56e71be8741d5b012b455443503a30d8abd43c90cd5f243948c2324c23ca48d3db6874b82

Download Submit
memory/644-148-0x0000000007370000-0x0000000007914000-memory.dmp

Filesize
5.6MB

Download
memory/644-149-0x0000000002BF0000-0x0000000002C1D000-memory.dmp

Filesize
180KB

Download
memory/644-151-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/644-150-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/644-152-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/644-153-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-154-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-156-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-158-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-168-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-170-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-172-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-174-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-176-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-180-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-178-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/644-181-0x0000000000400000-0x0000000002BB4000-memory.dmp

Filesize
39.7MB

Download
memory/644-183-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/644-182-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/644-184-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/644-186-0x0000000000400000-0x0000000002BB4000-memory.dmp

Filesize
39.7MB

Download
memory/3300-191-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-192-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-194-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-196-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-198-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-200-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-202-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-204-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-206-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-208-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-212-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3300-211-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-214-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3300-210-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/3300-216-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3300-218-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-215-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-220-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-222-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-224-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-226-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-228-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/3300-987-0x0000000009C90000-0x000000000A2A8000-memory.dmp

Filesize
6.1MB

Download
memory/3300-988-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/3300-989-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/3300-990-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/3300-991-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/3300-992-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/3300-993-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/3300-994-0x000000000AED0000-0x000000000AF46000-memory.dmp

Filesize
472KB

Download
memory/3300-995-0x000000000AF90000-0x000000000AFAE000-memory.dmp

Filesize
120KB

Download
memory/3300-996-0x000000000B1B0000-0x000000000B372000-memory.dmp

Filesize
1.8MB

Download
memory/3300-997-0x000000000B380000-0x000000000B8AC000-memory.dmp

Filesize
5.2MB

Download
memory/3300-998-0x0000000004A80000-0x0000000004AD0000-memory.dmp

Filesize
320KB

Download
memory/3516-1005-0x0000000000BA0000-0x0000000000BC8000-memory.dmp

Filesize
160KB

Download
memory/3516-1006-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

Filesize
64KB

Download