b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705 | Triage

Analysis

max time kernel
109s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 16:37 UTC

Sharing

Report Analysis Logs

General

Target

b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe
Size

698KB
MD5

c8dc99e799be9af897354b91fc1e5bcf
SHA1

b86a520ee8d2573dc544075b9d47af47c572262b
SHA256

b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705
SHA512

00c9910118848ba70537bef575fcc7bb2bbf24bf6c5c1ca0c389825fad13d6a262b01b910b6b093062204bac38a06bf80eae8463b1ab51f016b144a2d806991b
SSDEEP

12288:Ly90LYrbEmqJetPvXUEnYP5P6IC5HszqrSS5G7ANf4HEFTaviMVdbE67oUfZo9:Ly7J/zIC5HszOcXkpaqugefZo9

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Modify Existing Service

Disabling Security Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr095832.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr095832.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr095832.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr095832.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr095832.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr095832.exe

Executes dropped EXE 4 IoCs

pid	Process
2100	un337589.exe
2292	pr095832.exe
1652	qu169334.exe
4184	si469901.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr095832.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr095832.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un337589.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un337589.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3312	1652	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2292	pr095832.exe
2292	pr095832.exe
1652	qu169334.exe
1652	qu169334.exe
4184	si469901.exe
4184	si469901.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	pr095832.exe
Token: SeDebugPrivilege	1652	qu169334.exe
Token: SeDebugPrivilege	4184	si469901.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2100	1684	b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe	85
PID 1684 wrote to memory of 2100	1684	b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe	85
PID 1684 wrote to memory of 2100	1684	b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe	85
PID 2100 wrote to memory of 2292	2100	un337589.exe	86
PID 2100 wrote to memory of 2292	2100	un337589.exe	86
PID 2100 wrote to memory of 2292	2100	un337589.exe	86
PID 2100 wrote to memory of 1652	2100	un337589.exe	90
PID 2100 wrote to memory of 1652	2100	un337589.exe	90
PID 2100 wrote to memory of 1652	2100	un337589.exe	90
PID 1684 wrote to memory of 4184	1684	b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe	94
PID 1684 wrote to memory of 4184	1684	b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe	94
PID 1684 wrote to memory of 4184	1684	b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe	94

C:\Users\Admin\AppData\Local\Temp\b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe
"C:\Users\Admin\AppData\Local\Temp\b90b4e4615bd2b7458c26a283f2a9acef70d795bfacdd46d60cf20aef84a4705.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un337589.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un337589.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr095832.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr095832.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu169334.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu169334.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1320
      4⤵
      Program crash
      PID:3312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si469901.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si469901.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1652 -ip 1652
1⤵
PID:3456

Network

DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

76.38.195.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.38.195.152.in-addr.arpa

IN PTR

Response
DNS

142.248.161.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.248.161.185.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

152.248.161.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.248.161.185.in-addr.arpa

IN PTR

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

45.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.8.109.52.in-addr.arpa

IN PTR

Response

185.161.248.142:38452

qu169334.exe

5.9kB
7.7kB
15
12
20.189.173.6:443

322 B
7
185.161.248.152:38452

si469901.exe

5.8kB
7.7kB
15
13
209.197.3.8:80

322 B
7
173.223.113.164:443

322 B
7

8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

76.38.195.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

76.38.195.152.in-addr.arpa
8.8.8.8:53

142.248.161.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

142.248.161.185.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

152.248.161.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

152.248.161.185.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

45.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

45.8.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si469901.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si469901.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un337589.exe

Filesize
544KB

MD5
f115cdf95bafbab0d86548dd27391de3

SHA1
5cb261d9918235365e094c1cb8107f7f7eb4e80e

SHA256
2ec35f2e2550c0653fcd582bba0b244676e35745926576777c3d0979f1544ef8

SHA512
aeca93ef50d9b90164e038c87d1f6ebb5d7cd3032d77f53b1d351c272d1a8a4b0b5da8e00a1c50fdbe7041ab742ba493547d3c7ba1eb7b84a05ecc8664c6e53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un337589.exe

Filesize
544KB

MD5
f115cdf95bafbab0d86548dd27391de3

SHA1
5cb261d9918235365e094c1cb8107f7f7eb4e80e

SHA256
2ec35f2e2550c0653fcd582bba0b244676e35745926576777c3d0979f1544ef8

SHA512
aeca93ef50d9b90164e038c87d1f6ebb5d7cd3032d77f53b1d351c272d1a8a4b0b5da8e00a1c50fdbe7041ab742ba493547d3c7ba1eb7b84a05ecc8664c6e53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr095832.exe

Filesize
270KB

MD5
fffe20773b48fcd45b990150777cbb54

SHA1
328ecc6cedeca03d101a959103f0de247829374c

SHA256
5039df2f43b7680faf255ea0942ddb2f18a59b405d60d52d529664a65ff16e94

SHA512
616edd55c65e5dfab768a3b4d555ebf2bbfe7559fb254588a4859f3bcf181b58af6a8f35366d589c7cfc11ca89d970f53e27fe9973e400f79398b9613f34dad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr095832.exe

Filesize
270KB

MD5
fffe20773b48fcd45b990150777cbb54

SHA1
328ecc6cedeca03d101a959103f0de247829374c

SHA256
5039df2f43b7680faf255ea0942ddb2f18a59b405d60d52d529664a65ff16e94

SHA512
616edd55c65e5dfab768a3b4d555ebf2bbfe7559fb254588a4859f3bcf181b58af6a8f35366d589c7cfc11ca89d970f53e27fe9973e400f79398b9613f34dad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu169334.exe

Filesize
352KB

MD5
2e3088015ef083d511878e2acabc51a3

SHA1
e20e5255cc431ac10793fe458bcb26e53c0031ae

SHA256
52c79634c08c01d7169bec604274ec564ad79c569d6e7b935a6bdb623febffdf

SHA512
ec4fe0f4a4cf479f3f82d7d2b0ba61420c1bcf4a1896b3b36c9fd4c2f6cf5092c6a9ec914cf4c2db754d9b7a4e4e2f8461654a214a8944e0ee7fad08e7dda241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu169334.exe

Filesize
352KB

MD5
2e3088015ef083d511878e2acabc51a3

SHA1
e20e5255cc431ac10793fe458bcb26e53c0031ae

SHA256
52c79634c08c01d7169bec604274ec564ad79c569d6e7b935a6bdb623febffdf

SHA512
ec4fe0f4a4cf479f3f82d7d2b0ba61420c1bcf4a1896b3b36c9fd4c2f6cf5092c6a9ec914cf4c2db754d9b7a4e4e2f8461654a214a8944e0ee7fad08e7dda241

Download Submit
memory/1652-224-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-985-0x0000000009CD0000-0x000000000A2E8000-memory.dmp

Filesize
6.1MB

Download
memory/1652-997-0x000000000B930000-0x000000000B94E000-memory.dmp

Filesize
120KB

Download
memory/1652-996-0x000000000B300000-0x000000000B82C000-memory.dmp

Filesize
5.2MB

Download
memory/1652-995-0x000000000B110000-0x000000000B2D2000-memory.dmp

Filesize
1.8MB

Download
memory/1652-993-0x000000000AF40000-0x000000000AFB6000-memory.dmp

Filesize
472KB

Download
memory/1652-992-0x000000000AEE0000-0x000000000AF30000-memory.dmp

Filesize
320KB

Download
memory/1652-991-0x000000000AE30000-0x000000000AEC2000-memory.dmp

Filesize
584KB

Download
memory/1652-990-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/1652-989-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/1652-988-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1652-987-0x000000000A350000-0x000000000A45A000-memory.dmp

Filesize
1.0MB

Download
memory/1652-986-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/1652-458-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1652-457-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1652-218-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-222-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-220-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-216-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-214-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-212-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-210-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-190-0x0000000002CD0000-0x0000000002D16000-memory.dmp

Filesize
280KB

Download
memory/1652-191-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-194-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-192-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-196-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-198-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-200-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-202-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-204-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-206-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/1652-208-0x0000000004C80000-0x0000000004CB5000-memory.dmp

Filesize
212KB

Download
memory/2292-173-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-149-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/2292-185-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/2292-183-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/2292-182-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/2292-181-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/2292-180-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/2292-150-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/2292-179-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-175-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-153-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-177-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-152-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-151-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/2292-161-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-167-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-165-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-163-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-169-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-159-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-157-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-155-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-171-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/2292-148-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/4184-1003-0x0000000000750000-0x0000000000778000-memory.dmp

Filesize
160KB

Download
memory/4184-1004-0x0000000007840000-0x0000000007850000-memory.dmp

Filesize
64KB

Download