e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23/04/2023, 09:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe
Size

704KB
MD5

a0f2812b3d31e1b5f188d0e9d21d3ab2
SHA1

9bbd00ba7e557d8c3c3915f2b4f16276695a4843
SHA256

e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93
SHA512

89e51ae6c9f253294bab26accbfb4fa58eb3437ee5d921d7d4dd2a6dd92a89fcd345015ba4a56296c4d9a85a0e0dbbdb0d22dc6a45f828cdd114a35d17a3b37e
SSDEEP

12288:hy90miH8tFHcsXxXICFk085EfCymad0ipLFSObixbJqbCWi+LlATBge:hy2H8TjzJTfYKFtbixbJqm+LeBge

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr120979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr120979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr120979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr120979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr120979.exe

Executes dropped EXE 4 IoCs

pid	Process
2208	un711587.exe
5104	pr120979.exe
3872	qu399564.exe
3972	si905104.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr120979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr120979.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un711587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un711587.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5104	pr120979.exe
5104	pr120979.exe
3872	qu399564.exe
3872	qu399564.exe
3972	si905104.exe
3972	si905104.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	pr120979.exe
Token: SeDebugPrivilege	3872	qu399564.exe
Token: SeDebugPrivilege	3972	si905104.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 2208	3236	e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe	66
PID 3236 wrote to memory of 2208	3236	e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe	66
PID 3236 wrote to memory of 2208	3236	e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe	66
PID 2208 wrote to memory of 5104	2208	un711587.exe	67
PID 2208 wrote to memory of 5104	2208	un711587.exe	67
PID 2208 wrote to memory of 5104	2208	un711587.exe	67
PID 2208 wrote to memory of 3872	2208	un711587.exe	68
PID 2208 wrote to memory of 3872	2208	un711587.exe	68
PID 2208 wrote to memory of 3872	2208	un711587.exe	68
PID 3236 wrote to memory of 3972	3236	e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe	70
PID 3236 wrote to memory of 3972	3236	e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe	70
PID 3236 wrote to memory of 3972	3236	e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe	70

C:\Users\Admin\AppData\Local\Temp\e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe
"C:\Users\Admin\AppData\Local\Temp\e179dfadfd9157da384378be5dc3bf01d74a911d61c58a40236fa52b6224cc93.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un711587.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un711587.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr120979.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr120979.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu399564.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu399564.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si905104.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si905104.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si905104.exe

Filesize
136KB

MD5
8c80b06d843bd6a7599a5be2075d9a55

SHA1
caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

SHA256
e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

SHA512
cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si905104.exe

Filesize
136KB

MD5
8c80b06d843bd6a7599a5be2075d9a55

SHA1
caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

SHA256
e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

SHA512
cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un711587.exe

Filesize
550KB

MD5
206738f7486eeb1bcf4b07caa87bc19f

SHA1
d02b88c5c3fcc6f22b50b76027b081295f7a94bf

SHA256
9b9ca4039695995f9e330825598c7889901e058a40d91129d2388d130a387bfc

SHA512
0f7c273aaf6ee9d817bd4b949bd59139298c5f3423fa068fdd99a04042dae30116f9d833647555bb5a2536842394c99ea0259a7550bbedacd5bf3d229a17cdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un711587.exe

Filesize
550KB

MD5
206738f7486eeb1bcf4b07caa87bc19f

SHA1
d02b88c5c3fcc6f22b50b76027b081295f7a94bf

SHA256
9b9ca4039695995f9e330825598c7889901e058a40d91129d2388d130a387bfc

SHA512
0f7c273aaf6ee9d817bd4b949bd59139298c5f3423fa068fdd99a04042dae30116f9d833647555bb5a2536842394c99ea0259a7550bbedacd5bf3d229a17cdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr120979.exe

Filesize
286KB

MD5
df30b4b215f77404bbe78e4b3bd4479b

SHA1
b3c1ba6c8697a5f846a1f991b9c532cf41d8192f

SHA256
547b13fd8f846b6991444738b47d8a7c1b6ae03fefa5b996a432b6ad083a487c

SHA512
093915921253b9deeacc2114cf6fc57ec05c1167ff18cabb77375c4d49b4bd4737adffd765ae7af5f6c96c73843ae47d58e93f3e825c52b3d86e4d440e3e8cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr120979.exe

Filesize
286KB

MD5
df30b4b215f77404bbe78e4b3bd4479b

SHA1
b3c1ba6c8697a5f846a1f991b9c532cf41d8192f

SHA256
547b13fd8f846b6991444738b47d8a7c1b6ae03fefa5b996a432b6ad083a487c

SHA512
093915921253b9deeacc2114cf6fc57ec05c1167ff18cabb77375c4d49b4bd4737adffd765ae7af5f6c96c73843ae47d58e93f3e825c52b3d86e4d440e3e8cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu399564.exe

Filesize
368KB

MD5
2a9e2c4b220ad8e9c633d4be2241da97

SHA1
21aaca0e70e6417c03cd377e3f253c97751280f8

SHA256
0b345ad50dd443a48c65401ad3ffd27660b77060571198a4f3f9f0ae37f81428

SHA512
27ec38edd07d5a113fca25292c2f1315663df2e0799ee9e330b4b03c87554c71733a8dade6eb09d2241c816ed850ae8531fa18e435f8f4403d69df630e173d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu399564.exe

Filesize
368KB

MD5
2a9e2c4b220ad8e9c633d4be2241da97

SHA1
21aaca0e70e6417c03cd377e3f253c97751280f8

SHA256
0b345ad50dd443a48c65401ad3ffd27660b77060571198a4f3f9f0ae37f81428

SHA512
27ec38edd07d5a113fca25292c2f1315663df2e0799ee9e330b4b03c87554c71733a8dade6eb09d2241c816ed850ae8531fa18e435f8f4403d69df630e173d5d

Download Submit
memory/3872-215-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-977-0x0000000009C00000-0x0000000009C12000-memory.dmp

Filesize
72KB

Download
memory/3872-187-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-988-0x0000000004840000-0x0000000004890000-memory.dmp

Filesize
320KB

Download
memory/3872-987-0x000000000B7E0000-0x000000000B7FE000-memory.dmp

Filesize
120KB

Download
memory/3872-986-0x000000000B190000-0x000000000B6BC000-memory.dmp

Filesize
5.2MB

Download
memory/3872-985-0x000000000AFB0000-0x000000000B172000-memory.dmp

Filesize
1.8MB

Download
memory/3872-984-0x000000000AEF0000-0x000000000AF66000-memory.dmp

Filesize
472KB

Download
memory/3872-983-0x000000000AD20000-0x000000000ADB2000-memory.dmp

Filesize
584KB

Download
memory/3872-982-0x000000000A060000-0x000000000A0C6000-memory.dmp

Filesize
408KB

Download
memory/3872-981-0x0000000009ED0000-0x0000000009F1B000-memory.dmp

Filesize
300KB

Download
memory/3872-980-0x0000000009D50000-0x0000000009D8E000-memory.dmp

Filesize
248KB

Download
memory/3872-979-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/3872-978-0x0000000009C30000-0x0000000009D3A000-memory.dmp

Filesize
1.0MB

Download
memory/3872-976-0x000000000A190000-0x000000000A796000-memory.dmp

Filesize
6.0MB

Download
memory/3872-217-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-213-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-211-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-209-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-207-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-189-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-203-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-201-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-199-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-178-0x0000000004950000-0x000000000498C000-memory.dmp

Filesize
240KB

Download
memory/3872-179-0x0000000004BF0000-0x0000000004C2A000-memory.dmp

Filesize
232KB

Download
memory/3872-180-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/3872-181-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-184-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/3872-183-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-182-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/3872-186-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/3872-197-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-191-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-205-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-193-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3872-195-0x0000000004BF0000-0x0000000004C25000-memory.dmp

Filesize
212KB

Download
memory/3972-994-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/3972-996-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/3972-995-0x0000000007140000-0x000000000718B000-memory.dmp

Filesize
300KB

Download
memory/5104-151-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-157-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-170-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/5104-169-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/5104-168-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/5104-167-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/5104-136-0x00000000072B0000-0x00000000077AE000-memory.dmp

Filesize
5.0MB

Download
memory/5104-166-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/5104-165-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-139-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-141-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-163-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-147-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-172-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/5104-155-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-153-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-161-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-149-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-159-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-145-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-143-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-135-0x0000000002F50000-0x0000000002F6A000-memory.dmp

Filesize
104KB

Download
memory/5104-134-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/5104-173-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/5104-138-0x0000000004820000-0x0000000004832000-memory.dmp

Filesize
72KB

Download
memory/5104-137-0x0000000004820000-0x0000000004838000-memory.dmp

Filesize
96KB

Download