9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22/04/2023, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe
Size

696KB
MD5

18bb2d3c4257116b05e12ba052584867
SHA1

72740fb960a5a5d78011973c5e0cd054ae2713b4
SHA256

9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788
SHA512

c8189d87bc1cd8485473f6f0907c36ac48e909dffdfe46e5192f7278e4f5787575f7051ced2f9c3180790fdb9349f0452edc8d8efbb3e8362cbad71c6670e5d5
SSDEEP

12288:cy905NjO21Vkyi/f1ItJhAFKGSknA64gtgGwdJbQ3XZs:cycNjFVkH9ItJIKGSe4SdwdmZs

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr102723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr102723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr102723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr102723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr102723.exe

Executes dropped EXE 4 IoCs

pid	Process
4288	un805181.exe
4484	pr102723.exe
4820	qu827618.exe
2732	si828285.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr102723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr102723.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un805181.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un805181.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4484	pr102723.exe
4484	pr102723.exe
4820	qu827618.exe
4820	qu827618.exe
2732	si828285.exe
2732	si828285.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	pr102723.exe
Token: SeDebugPrivilege	4820	qu827618.exe
Token: SeDebugPrivilege	2732	si828285.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4288	3636	9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe	66
PID 3636 wrote to memory of 4288	3636	9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe	66
PID 3636 wrote to memory of 4288	3636	9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe	66
PID 4288 wrote to memory of 4484	4288	un805181.exe	67
PID 4288 wrote to memory of 4484	4288	un805181.exe	67
PID 4288 wrote to memory of 4484	4288	un805181.exe	67
PID 4288 wrote to memory of 4820	4288	un805181.exe	68
PID 4288 wrote to memory of 4820	4288	un805181.exe	68
PID 4288 wrote to memory of 4820	4288	un805181.exe	68
PID 3636 wrote to memory of 2732	3636	9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe	70
PID 3636 wrote to memory of 2732	3636	9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe	70
PID 3636 wrote to memory of 2732	3636	9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe	70

C:\Users\Admin\AppData\Local\Temp\9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe
"C:\Users\Admin\AppData\Local\Temp\9a6189061c528ef727ed143146881b4e5fdfca49260a1e0fe93c3dfeb3dc2788.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un805181.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un805181.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr102723.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr102723.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu827618.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu827618.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si828285.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si828285.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si828285.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si828285.exe

Filesize
136KB

MD5
49650cdcdc358bb2770f0062abeef88c

SHA1
d6f7ec7758e9a80700b81bc7a549838ba99aacac

SHA256
79e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59

SHA512
7ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un805181.exe

Filesize
542KB

MD5
36ed2f23f7aab826296e167d9c8e1940

SHA1
af3291c422638942d53d2e8914c716757908bb17

SHA256
28f24cd7838fa93341d2cb34092ae1aa9ef9d768899830a9b93889c0da154483

SHA512
1f60f8903ca2883642a60370c3870608204f95f327a8a8d3a07de33d324fb1de84be4f09ab76c16916025210e0917605b20e79d42f23e17192e64d0ab0dd1011

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un805181.exe

Filesize
542KB

MD5
36ed2f23f7aab826296e167d9c8e1940

SHA1
af3291c422638942d53d2e8914c716757908bb17

SHA256
28f24cd7838fa93341d2cb34092ae1aa9ef9d768899830a9b93889c0da154483

SHA512
1f60f8903ca2883642a60370c3870608204f95f327a8a8d3a07de33d324fb1de84be4f09ab76c16916025210e0917605b20e79d42f23e17192e64d0ab0dd1011

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr102723.exe

Filesize
269KB

MD5
621feadf00194d10263342663cdaa99e

SHA1
18b9a9270049794de1a32adf1726a1b275c1e974

SHA256
65117893095eb1ea3c58f1dcd599b22a32063bdbbf8df1b6e9c279146ee5b9bf

SHA512
9936523e86b506e988639cb24e29d75265ca84a283b3afe105a86f2a47b97b24713b92440aecdbbca28d53eb30a36366ba3df70af8269e138d3b19e2c46c2a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr102723.exe

Filesize
269KB

MD5
621feadf00194d10263342663cdaa99e

SHA1
18b9a9270049794de1a32adf1726a1b275c1e974

SHA256
65117893095eb1ea3c58f1dcd599b22a32063bdbbf8df1b6e9c279146ee5b9bf

SHA512
9936523e86b506e988639cb24e29d75265ca84a283b3afe105a86f2a47b97b24713b92440aecdbbca28d53eb30a36366ba3df70af8269e138d3b19e2c46c2a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu827618.exe

Filesize
352KB

MD5
0d05fa629a5c09abfde922c2e005088b

SHA1
0398a46bddd670c208a338d3ca1ce99f49a61c9e

SHA256
14213c4af30197eb52f7310a6bbacf87a5d5b0350d8ebfcd3af7838e23c8834e

SHA512
4eafb313db33c8e568ee0fc97b918f9c184be4ce28d8eba13f960a0ef4451c4397f30ae56f172f42cc889b365482c2d4cc4abf0433a901f5bb47a6893c3ef2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu827618.exe

Filesize
352KB

MD5
0d05fa629a5c09abfde922c2e005088b

SHA1
0398a46bddd670c208a338d3ca1ce99f49a61c9e

SHA256
14213c4af30197eb52f7310a6bbacf87a5d5b0350d8ebfcd3af7838e23c8834e

SHA512
4eafb313db33c8e568ee0fc97b918f9c184be4ce28d8eba13f960a0ef4451c4397f30ae56f172f42cc889b365482c2d4cc4abf0433a901f5bb47a6893c3ef2e8

Download Submit
memory/2732-992-0x0000000000800000-0x0000000000828000-memory.dmp

Filesize
160KB

Download
memory/2732-993-0x0000000007580000-0x00000000075CB000-memory.dmp

Filesize
300KB

Download
memory/2732-994-0x0000000007890000-0x00000000078A0000-memory.dmp

Filesize
64KB

Download
memory/4484-141-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-153-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-138-0x00000000070C0000-0x00000000075BE000-memory.dmp

Filesize
5.0MB

Download
memory/4484-139-0x0000000007090000-0x00000000070A8000-memory.dmp

Filesize
96KB

Download
memory/4484-140-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-136-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4484-143-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-145-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-147-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-149-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-151-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-137-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4484-155-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-157-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-159-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-161-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-163-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-165-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-167-0x0000000007090000-0x00000000070A2000-memory.dmp

Filesize
72KB

Download
memory/4484-168-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4484-169-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/4484-171-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4484-135-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/4484-134-0x0000000004700000-0x000000000471A000-memory.dmp

Filesize
104KB

Download
memory/4820-180-0x00000000070A0000-0x00000000070B0000-memory.dmp

Filesize
64KB

Download
memory/4820-211-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-182-0x00000000070A0000-0x00000000070B0000-memory.dmp

Filesize
64KB

Download
memory/4820-181-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-179-0x00000000076F0000-0x000000000772A000-memory.dmp

Filesize
232KB

Download
memory/4820-183-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-185-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-187-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-189-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-191-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-193-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-195-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-197-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-199-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-201-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-203-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-205-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-207-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-209-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-178-0x00000000070A0000-0x00000000070B0000-memory.dmp

Filesize
64KB

Download
memory/4820-213-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-215-0x00000000076F0000-0x0000000007725000-memory.dmp

Filesize
212KB

Download
memory/4820-974-0x000000000A200000-0x000000000A806000-memory.dmp

Filesize
6.0MB

Download
memory/4820-975-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4820-976-0x0000000009C30000-0x0000000009D3A000-memory.dmp

Filesize
1.0MB

Download
memory/4820-977-0x0000000009D50000-0x0000000009D8E000-memory.dmp

Filesize
248KB

Download
memory/4820-978-0x0000000009DD0000-0x0000000009E1B000-memory.dmp

Filesize
300KB

Download
memory/4820-979-0x00000000070A0000-0x00000000070B0000-memory.dmp

Filesize
64KB

Download
memory/4820-980-0x000000000A060000-0x000000000A0C6000-memory.dmp

Filesize
408KB

Download
memory/4820-981-0x000000000AD30000-0x000000000ADC2000-memory.dmp

Filesize
584KB

Download
memory/4820-982-0x000000000ADD0000-0x000000000AE20000-memory.dmp

Filesize
320KB

Download
memory/4820-983-0x000000000AE40000-0x000000000AEB6000-memory.dmp

Filesize
472KB

Download
memory/4820-177-0x0000000002BD0000-0x0000000002C16000-memory.dmp

Filesize
280KB

Download
memory/4820-176-0x0000000006FF0000-0x000000000702C000-memory.dmp

Filesize
240KB

Download
memory/4820-984-0x000000000AFE0000-0x000000000AFFE000-memory.dmp

Filesize
120KB

Download
memory/4820-985-0x000000000B0B0000-0x000000000B272000-memory.dmp

Filesize
1.8MB

Download
memory/4820-986-0x000000000B280000-0x000000000B7AC000-memory.dmp

Filesize
5.2MB

Download