3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793

Analysis

max time kernel
112s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2023 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe
Size

707KB
MD5

6547a3355b72107134c44af97f75809c
SHA1

9aa4294950ebed2deea719e800f1bd21ded6af44
SHA256

3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793
SHA512

4d7c1bfa78282d40be198f33114a3d2721bf5f7617b54012ff51b6e9326e3a173d7eccbbc081b8c108a67c483233402b5530f55f6f134362814cc943fbd86cb9
SSDEEP

12288:Gy90affJiTzYa8qZ9e9Ha/PO871N7+xJwT9iWg8GMyumo:Gy3AHYaqa/PO87/i0TIWg8Jypo

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr463935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr463935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr463935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr463935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr463935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr463935.exe

Executes dropped EXE 4 IoCs

pid	Process
2052	un510578.exe
4624	pr463935.exe
448	qu307207.exe
2448	si604213.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr463935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr463935.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un510578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un510578.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3844	4624	WerFault.exe	85
4144	448	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4624	pr463935.exe
4624	pr463935.exe
448	qu307207.exe
448	qu307207.exe
2448	si604213.exe
2448	si604213.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	pr463935.exe
Token: SeDebugPrivilege	448	qu307207.exe
Token: SeDebugPrivilege	2448	si604213.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2052	2220	3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe	84
PID 2220 wrote to memory of 2052	2220	3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe	84
PID 2220 wrote to memory of 2052	2220	3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe	84
PID 2052 wrote to memory of 4624	2052	un510578.exe	85
PID 2052 wrote to memory of 4624	2052	un510578.exe	85
PID 2052 wrote to memory of 4624	2052	un510578.exe	85
PID 2052 wrote to memory of 448	2052	un510578.exe	91
PID 2052 wrote to memory of 448	2052	un510578.exe	91
PID 2052 wrote to memory of 448	2052	un510578.exe	91
PID 2220 wrote to memory of 2448	2220	3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe	94
PID 2220 wrote to memory of 2448	2220	3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe	94
PID 2220 wrote to memory of 2448	2220	3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe	94

C:\Users\Admin\AppData\Local\Temp\3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe
"C:\Users\Admin\AppData\Local\Temp\3b127000cbf41fc61d77227900070fe14326ea6e4d178608762d19f734cff793.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un510578.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un510578.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr463935.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr463935.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1080
      4⤵
      Program crash
      PID:3844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu307207.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu307207.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1756
      4⤵
      Program crash
      PID:4144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604213.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604213.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4624 -ip 4624
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 448 -ip 448
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604213.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si604213.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un510578.exe

Filesize
552KB

MD5
d9454908dcf77fb9c9283a05f64ff40e

SHA1
ddd3b5d32a63fbfc727f0e9b42cd3a9dcaf56382

SHA256
20b218eb1a5a49405afc42925b38f262ab846caf3549f75e8a7197e9fe6e0b65

SHA512
8cbd2ada2916e39865c5d9a693a8448f35db6ac41605de3e1b90fc0131fb8849e682bfb8fc5ce03296084d3a47711076d8081113574ed56421d5deb4530d884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un510578.exe

Filesize
552KB

MD5
d9454908dcf77fb9c9283a05f64ff40e

SHA1
ddd3b5d32a63fbfc727f0e9b42cd3a9dcaf56382

SHA256
20b218eb1a5a49405afc42925b38f262ab846caf3549f75e8a7197e9fe6e0b65

SHA512
8cbd2ada2916e39865c5d9a693a8448f35db6ac41605de3e1b90fc0131fb8849e682bfb8fc5ce03296084d3a47711076d8081113574ed56421d5deb4530d884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr463935.exe

Filesize
285KB

MD5
786ac069789a7637c5c2ee2cf85c531e

SHA1
88f5a46ea089b2c5cea3d6fadd59b2ab3397109a

SHA256
3436951f2b3bd52a45885ece230875b01d7f30d6d73ad01fb688794a479f312f

SHA512
170117f11250a8c1420629185b4cc43aced353286740dd0847824a0b9036c9ef393f912305b60bc964ca053089bed3a8bea50de89f282ac26c05d1d0965bb8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr463935.exe

Filesize
285KB

MD5
786ac069789a7637c5c2ee2cf85c531e

SHA1
88f5a46ea089b2c5cea3d6fadd59b2ab3397109a

SHA256
3436951f2b3bd52a45885ece230875b01d7f30d6d73ad01fb688794a479f312f

SHA512
170117f11250a8c1420629185b4cc43aced353286740dd0847824a0b9036c9ef393f912305b60bc964ca053089bed3a8bea50de89f282ac26c05d1d0965bb8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu307207.exe

Filesize
368KB

MD5
14e65b3eb6e704e08d9882fe9f03a05e

SHA1
820893b608f0c9109ef0e602df05ea1d0f492117

SHA256
46c3e725314dc27d868b986b2058fb7d88498d637ef117f105f6fdfd96ab3545

SHA512
794ae6ee33365faa78ee51ead2d9cfbc579662ac5c5f2a601f374f3f8d015621ec97ec6ed9334986a7b17359ffac184d8a7bedc32dd83f4864071125c496c003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu307207.exe

Filesize
368KB

MD5
14e65b3eb6e704e08d9882fe9f03a05e

SHA1
820893b608f0c9109ef0e602df05ea1d0f492117

SHA256
46c3e725314dc27d868b986b2058fb7d88498d637ef117f105f6fdfd96ab3545

SHA512
794ae6ee33365faa78ee51ead2d9cfbc579662ac5c5f2a601f374f3f8d015621ec97ec6ed9334986a7b17359ffac184d8a7bedc32dd83f4864071125c496c003

Download Submit
memory/448-224-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-988-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/448-998-0x0000000004B40000-0x0000000004B90000-memory.dmp

Filesize
320KB

Download
memory/448-997-0x000000000B7E0000-0x000000000B7FE000-memory.dmp

Filesize
120KB

Download
memory/448-996-0x000000000B1A0000-0x000000000B6CC000-memory.dmp

Filesize
5.2MB

Download
memory/448-995-0x000000000AFD0000-0x000000000B192000-memory.dmp

Filesize
1.8MB

Download
memory/448-994-0x000000000AEF0000-0x000000000AF66000-memory.dmp

Filesize
472KB

Download
memory/448-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/448-992-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/448-991-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/448-990-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/448-989-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/448-987-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/448-228-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-226-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-222-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-220-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-218-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-216-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-213-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-214-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/448-212-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/448-209-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-192-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-191-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-194-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-196-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-198-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-200-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-202-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-206-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-204-0x0000000004D70000-0x0000000004DA5000-memory.dmp

Filesize
212KB

Download
memory/448-208-0x0000000002D10000-0x0000000002D56000-memory.dmp

Filesize
280KB

Download
memory/448-210-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2448-1005-0x0000000000250000-0x0000000000278000-memory.dmp

Filesize
160KB

Download
memory/2448-1006-0x0000000006FB0000-0x0000000006FC0000-memory.dmp

Filesize
64KB

Download
memory/4624-153-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-181-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/4624-170-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-182-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4624-168-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-180-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-178-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-166-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-176-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-174-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-152-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4624-172-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-183-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4624-184-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4624-150-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4624-164-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-162-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-160-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-158-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-156-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-154-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4624-149-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/4624-148-0x0000000007280000-0x0000000007824000-memory.dmp

Filesize
5.6MB

Download
memory/4624-186-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/4624-151-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download