50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c

Analysis

max time kernel
131s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe
Size

709KB
MD5

963ce75948926cb51620590068063dd0
SHA1

390f5b3837ac6a1719ae43b53a70740f128b1357
SHA256

50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c
SHA512

3cd14ccb9e38be45029d7341e595035055550eafa947531730db322af2ef6467e76219baa32f874c90b3cc1b4dec60e4a88d380145a188deb3c148699ee0efc6
SSDEEP

12288:Yy90Lu/gpJCz/llKF9FZbRhcrE8SVYXdXdso9q3LCwnRHzn0utqwQKmxsK:YyxgpJCn+dhcrzXdXdso9g1RjdEwQKRK

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr669017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr669017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr669017.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr669017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr669017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr669017.exe

Executes dropped EXE 4 IoCs

pid	Process
4544	un401540.exe
824	pr669017.exe
4300	qu573418.exe
4916	si798149.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr669017.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr669017.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un401540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un401540.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4620	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
624	824	WerFault.exe	87
3660	4300	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
824	pr669017.exe
824	pr669017.exe
4300	qu573418.exe
4300	qu573418.exe
4916	si798149.exe
4916	si798149.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	pr669017.exe
Token: SeDebugPrivilege	4300	qu573418.exe
Token: SeDebugPrivilege	4916	si798149.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 4544	1848	50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe	86
PID 1848 wrote to memory of 4544	1848	50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe	86
PID 1848 wrote to memory of 4544	1848	50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe	86
PID 4544 wrote to memory of 824	4544	un401540.exe	87
PID 4544 wrote to memory of 824	4544	un401540.exe	87
PID 4544 wrote to memory of 824	4544	un401540.exe	87
PID 4544 wrote to memory of 4300	4544	un401540.exe	93
PID 4544 wrote to memory of 4300	4544	un401540.exe	93
PID 4544 wrote to memory of 4300	4544	un401540.exe	93
PID 1848 wrote to memory of 4916	1848	50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe	96
PID 1848 wrote to memory of 4916	1848	50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe	96
PID 1848 wrote to memory of 4916	1848	50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe	96

C:\Users\Admin\AppData\Local\Temp\50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe
"C:\Users\Admin\AppData\Local\Temp\50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401540.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401540.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr669017.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr669017.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 1080
      4⤵
      Program crash
      PID:624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu573418.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu573418.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1736
      4⤵
      Program crash
      PID:3660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si798149.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si798149.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 824 -ip 824
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4300 -ip 4300
1⤵
PID:772

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si798149.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si798149.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401540.exe

Filesize
555KB

MD5
a3f3f2021ff1defbe6ad2b2b5925086f

SHA1
91e0a7040cba847df133f35e6b75ab2622b3010b

SHA256
533553acf43e2d889a2d94e2842f4a0342f5b196fd23ba1c4693e3385505db8a

SHA512
655d266ddb0e01ac4ea7525a90cf510035e30e560f29158a6593939bf10ea51c3081f8003991e281de5790c8f795a198657bf495a9917d71cdfb6d29104cfe70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401540.exe

Filesize
555KB

MD5
a3f3f2021ff1defbe6ad2b2b5925086f

SHA1
91e0a7040cba847df133f35e6b75ab2622b3010b

SHA256
533553acf43e2d889a2d94e2842f4a0342f5b196fd23ba1c4693e3385505db8a

SHA512
655d266ddb0e01ac4ea7525a90cf510035e30e560f29158a6593939bf10ea51c3081f8003991e281de5790c8f795a198657bf495a9917d71cdfb6d29104cfe70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr669017.exe

Filesize
260KB

MD5
e7a66f9c1fd281341a0cadc10186a4cb

SHA1
14afbab3a4a3d5de34b1bd37ea672c1848004d83

SHA256
b6525b10863c3003806f22131a5e1f3d0d61aa5a945860032de41b7528e9cf4a

SHA512
4250fceba22e5d5940b7b4e643cc901aa910b85d592e794a1dfa2074f1b26143244ad6f46ebbb9fa0d25df8a036200d6086a7c273a47d8805c916e87ae879ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr669017.exe

Filesize
260KB

MD5
e7a66f9c1fd281341a0cadc10186a4cb

SHA1
14afbab3a4a3d5de34b1bd37ea672c1848004d83

SHA256
b6525b10863c3003806f22131a5e1f3d0d61aa5a945860032de41b7528e9cf4a

SHA512
4250fceba22e5d5940b7b4e643cc901aa910b85d592e794a1dfa2074f1b26143244ad6f46ebbb9fa0d25df8a036200d6086a7c273a47d8805c916e87ae879ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu573418.exe

Filesize
352KB

MD5
6d125a44344be1141495ff519cb484c2

SHA1
50d523b638cf2f090f1d4ff2360b468dfef431a9

SHA256
0ee10e0cb6eea641afe14620a01dad5a54499b1f2ade2ace054134e3d09bf400

SHA512
7e548bbad4d9bf1ea20262d2bdd57b0ab61f0f8bf52851b66be16578ddd395e272416af69a116944dc9616bb50504eeab664b2f3991f88134220e9f2d8dfc1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu573418.exe

Filesize
352KB

MD5
6d125a44344be1141495ff519cb484c2

SHA1
50d523b638cf2f090f1d4ff2360b468dfef431a9

SHA256
0ee10e0cb6eea641afe14620a01dad5a54499b1f2ade2ace054134e3d09bf400

SHA512
7e548bbad4d9bf1ea20262d2bdd57b0ab61f0f8bf52851b66be16578ddd395e272416af69a116944dc9616bb50504eeab664b2f3991f88134220e9f2d8dfc1af

Download Submit
memory/824-148-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/824-149-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-150-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-152-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-154-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-156-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-158-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-160-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-162-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-164-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-166-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-168-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-170-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-172-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-174-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-176-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/824-177-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/824-178-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/824-179-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/824-180-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/824-181-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/824-182-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/824-183-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/824-185-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4300-191-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-190-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-193-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-195-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-197-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-199-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-201-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-203-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-205-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-207-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-209-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-211-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-213-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-215-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-217-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-219-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-221-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-223-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4300-550-0x0000000002BD0000-0x0000000002C16000-memory.dmp

Filesize
280KB

Download
memory/4300-552-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4300-556-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4300-554-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4300-986-0x0000000009C80000-0x000000000A298000-memory.dmp

Filesize
6.1MB

Download
memory/4300-987-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/4300-988-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/4300-989-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/4300-990-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/4300-991-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/4300-992-0x000000000AF30000-0x000000000AFC2000-memory.dmp

Filesize
584KB

Download
memory/4300-993-0x000000000AFD0000-0x000000000B020000-memory.dmp

Filesize
320KB

Download
memory/4300-994-0x000000000B040000-0x000000000B0B6000-memory.dmp

Filesize
472KB

Download
memory/4300-995-0x000000000B0E0000-0x000000000B0FE000-memory.dmp

Filesize
120KB

Download
memory/4300-996-0x000000000B310000-0x000000000B4D2000-memory.dmp

Filesize
1.8MB

Download
memory/4300-997-0x000000000B4E0000-0x000000000BA0C000-memory.dmp

Filesize
5.2MB

Download
memory/4916-1003-0x0000000000A80000-0x0000000000AA8000-memory.dmp

Filesize
160KB

Download
memory/4916-1004-0x0000000007BB0000-0x0000000007BC0000-memory.dmp

Filesize
64KB

Download