860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb

Analysis

max time kernel
71s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23-04-2023 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe
Size

702KB
MD5

eb7decac38393d58d0705e72736f1535
SHA1

902f68fcbf3f0531435ec249949264652a353129
SHA256

860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb
SHA512

a0a40e579c0fa43834b23cf0a2680362f8edbe3e3778628689eb0b205a30f59fc4cd449d8a3f53001767657558d7628663f9a947453a2265b4a446fd5ab28097
SSDEEP

12288:Cy90u4zi6PUJT9DARfTuE7rGqRph8FjFfn1B8udtJk7p4kcQeg:CyL6sFARfyE7KqJY9KOkcQb

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr773789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr773789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr773789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr773789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr773789.exe

Executes dropped EXE 4 IoCs

pid	Process
3652	un788377.exe
4192	pr773789.exe
2052	qu777333.exe
4340	si079237.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr773789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr773789.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un788377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un788377.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4192	pr773789.exe
4192	pr773789.exe
2052	qu777333.exe
2052	qu777333.exe
4340	si079237.exe
4340	si079237.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	pr773789.exe
Token: SeDebugPrivilege	2052	qu777333.exe
Token: SeDebugPrivilege	4340	si079237.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 3652	4324	860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe	66
PID 4324 wrote to memory of 3652	4324	860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe	66
PID 4324 wrote to memory of 3652	4324	860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe	66
PID 3652 wrote to memory of 4192	3652	un788377.exe	67
PID 3652 wrote to memory of 4192	3652	un788377.exe	67
PID 3652 wrote to memory of 4192	3652	un788377.exe	67
PID 3652 wrote to memory of 2052	3652	un788377.exe	68
PID 3652 wrote to memory of 2052	3652	un788377.exe	68
PID 3652 wrote to memory of 2052	3652	un788377.exe	68
PID 4324 wrote to memory of 4340	4324	860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe	70
PID 4324 wrote to memory of 4340	4324	860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe	70
PID 4324 wrote to memory of 4340	4324	860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe	70

C:\Users\Admin\AppData\Local\Temp\860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe
"C:\Users\Admin\AppData\Local\Temp\860a43b58d1ff2d264632d39ab83c40c0b2b4bbbe3ece32f2dd0ca5545e11deb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un788377.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un788377.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr773789.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr773789.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu777333.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu777333.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si079237.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si079237.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si079237.exe

Filesize
136KB

MD5
8c80b06d843bd6a7599a5be2075d9a55

SHA1
caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

SHA256
e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

SHA512
cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si079237.exe

Filesize
136KB

MD5
8c80b06d843bd6a7599a5be2075d9a55

SHA1
caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

SHA256
e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

SHA512
cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un788377.exe

Filesize
548KB

MD5
ad072ce32d8723e25174c892ab25e277

SHA1
cc77f969bf34d73d472542a1b32e1c1cdd760170

SHA256
f2848b753fc0573cacc42d87bde91e1c049ec3b917bbd41498db6f484084d818

SHA512
68b6b7b733491c5fb0ba7a24aabe7dbfc9ad82b0c049c5acd35aba51ee34cab4e2566c92fd372368d919e08ad00b0e0280cd907b098ce4c78fd6c923b153d808

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un788377.exe

Filesize
548KB

MD5
ad072ce32d8723e25174c892ab25e277

SHA1
cc77f969bf34d73d472542a1b32e1c1cdd760170

SHA256
f2848b753fc0573cacc42d87bde91e1c049ec3b917bbd41498db6f484084d818

SHA512
68b6b7b733491c5fb0ba7a24aabe7dbfc9ad82b0c049c5acd35aba51ee34cab4e2566c92fd372368d919e08ad00b0e0280cd907b098ce4c78fd6c923b153d808

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr773789.exe

Filesize
276KB

MD5
d820510055b1fb3fd36bccefcec15657

SHA1
63b174c6f7a8307453c0aeb566c6a70a66bed697

SHA256
1f2792743c86358e4d03e22b37e3d5057c923414aa302d6b62d32cbb1c90737a

SHA512
6ba448e010bece66df1b2e48776c7c41a4610a73f831cda1a4393e896d27e2337ed93b0de3922bf2905e6f1fd6b2db05be5dea700928dfaddd56b312e91a1f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr773789.exe

Filesize
276KB

MD5
d820510055b1fb3fd36bccefcec15657

SHA1
63b174c6f7a8307453c0aeb566c6a70a66bed697

SHA256
1f2792743c86358e4d03e22b37e3d5057c923414aa302d6b62d32cbb1c90737a

SHA512
6ba448e010bece66df1b2e48776c7c41a4610a73f831cda1a4393e896d27e2337ed93b0de3922bf2905e6f1fd6b2db05be5dea700928dfaddd56b312e91a1f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu777333.exe

Filesize
353KB

MD5
8e9c0c823bc9601fedfe66987e504386

SHA1
6c2cb0b0d48b179976f555fb018987e5ac4e1d71

SHA256
3150137023631045e3da36394130c3bc0f21e06d74b79bc2c8e60434a4d495ff

SHA512
4636e68fde90a306b53eec36035b5e87e1535b848c787070d1c87192d9cf7751e895af35e4c9cfdad644c5ecd602a182fe4c697cd4382dcf1b1c6059ff82a773

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu777333.exe

Filesize
353KB

MD5
8e9c0c823bc9601fedfe66987e504386

SHA1
6c2cb0b0d48b179976f555fb018987e5ac4e1d71

SHA256
3150137023631045e3da36394130c3bc0f21e06d74b79bc2c8e60434a4d495ff

SHA512
4636e68fde90a306b53eec36035b5e87e1535b848c787070d1c87192d9cf7751e895af35e4c9cfdad644c5ecd602a182fe4c697cd4382dcf1b1c6059ff82a773

Download Submit
memory/2052-214-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-216-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-989-0x0000000004710000-0x0000000004760000-memory.dmp

Filesize
320KB

Download
memory/2052-988-0x000000000B6F0000-0x000000000B70E000-memory.dmp

Filesize
120KB

Download
memory/2052-987-0x000000000B090000-0x000000000B5BC000-memory.dmp

Filesize
5.2MB

Download
memory/2052-986-0x000000000AEB0000-0x000000000B072000-memory.dmp

Filesize
1.8MB

Download
memory/2052-985-0x000000000ADE0000-0x000000000AE56000-memory.dmp

Filesize
472KB

Download
memory/2052-189-0x0000000002CF0000-0x0000000002D36000-memory.dmp

Filesize
280KB

Download
memory/2052-984-0x000000000AD20000-0x000000000ADB2000-memory.dmp

Filesize
584KB

Download
memory/2052-983-0x000000000A060000-0x000000000A0C6000-memory.dmp

Filesize
408KB

Download
memory/2052-982-0x0000000009DD0000-0x0000000009E1B000-memory.dmp

Filesize
300KB

Download
memory/2052-981-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2052-980-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/2052-191-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2052-979-0x0000000009C90000-0x0000000009D9A000-memory.dmp

Filesize
1.0MB

Download
memory/2052-978-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/2052-977-0x000000000A2A0000-0x000000000A8A6000-memory.dmp

Filesize
6.0MB

Download
memory/2052-195-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2052-218-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-196-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-212-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-210-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-208-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-206-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-204-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-179-0x0000000004950000-0x000000000498C000-memory.dmp

Filesize
240KB

Download
memory/2052-182-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-181-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-180-0x00000000049F0000-0x0000000004A2A000-memory.dmp

Filesize
232KB

Download
memory/2052-184-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-186-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-188-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-202-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-200-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-198-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/2052-193-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2052-192-0x00000000049F0000-0x0000000004A25000-memory.dmp

Filesize
212KB

Download
memory/4192-166-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-168-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-160-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-148-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-138-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4192-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4192-174-0x0000000000400000-0x0000000002BAE000-memory.dmp

Filesize
39.7MB

Download
memory/4192-172-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4192-171-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4192-137-0x0000000004950000-0x0000000004968000-memory.dmp

Filesize
96KB

Download
memory/4192-170-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4192-169-0x0000000000400000-0x0000000002BAE000-memory.dmp

Filesize
39.7MB

Download
memory/4192-139-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4192-164-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-162-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-158-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-156-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-154-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-152-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-150-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-146-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-144-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-142-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-141-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4192-140-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4192-135-0x0000000007280000-0x000000000777E000-memory.dmp

Filesize
5.0MB

Download
memory/4192-134-0x0000000002DB0000-0x0000000002DCA000-memory.dmp

Filesize
104KB

Download
memory/4340-995-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/4340-996-0x0000000007120000-0x000000000716B000-memory.dmp

Filesize
300KB

Download
memory/4340-997-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download