b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9

Analysis

max time kernel
53s
max time network
56s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23-04-2023 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe
Size

703KB
MD5

6585bb5d3cb98bfc047887004a391a89
SHA1

114e95381d54aa8b2f4d27c289ac3dc968da3ac0
SHA256

b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9
SHA512

58847814eabefbbe3e328ec0582c165261de371c17813aea7b886886f968fc63327cbdb279423e436378ada797aaed80113afcd11ec5b578174a3d3466e88e0b
SSDEEP

12288:Ay90iaN9rTpFLNadmBJ6MlqOr1R49xizV0VFbEifIT52kMxtlscILSYrb/XFB/SM:AyA9rFFLPBJ639ozV0ViifjkMnYnrb/j

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr896826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr896826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr896826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr896826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr896826.exe

Executes dropped EXE 4 IoCs

pid	Process
3788	un599208.exe
3084	pr896826.exe
1664	qu978019.exe
1020	si450996.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr896826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr896826.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un599208.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un599208.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3084	pr896826.exe
3084	pr896826.exe
1664	qu978019.exe
1664	qu978019.exe
1020	si450996.exe
1020	si450996.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	pr896826.exe
Token: SeDebugPrivilege	1664	qu978019.exe
Token: SeDebugPrivilege	1020	si450996.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3788	2136	b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe	66
PID 2136 wrote to memory of 3788	2136	b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe	66
PID 2136 wrote to memory of 3788	2136	b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe	66
PID 3788 wrote to memory of 3084	3788	un599208.exe	67
PID 3788 wrote to memory of 3084	3788	un599208.exe	67
PID 3788 wrote to memory of 3084	3788	un599208.exe	67
PID 3788 wrote to memory of 1664	3788	un599208.exe	68
PID 3788 wrote to memory of 1664	3788	un599208.exe	68
PID 3788 wrote to memory of 1664	3788	un599208.exe	68
PID 2136 wrote to memory of 1020	2136	b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe	70
PID 2136 wrote to memory of 1020	2136	b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe	70
PID 2136 wrote to memory of 1020	2136	b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe	70

C:\Users\Admin\AppData\Local\Temp\b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe
"C:\Users\Admin\AppData\Local\Temp\b6da63886ab7ac9aba71256db97320bc87df723bc0e05bd2ada855cb781f4ad9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599208.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599208.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr896826.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr896826.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu978019.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu978019.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si450996.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si450996.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si450996.exe

Filesize
136KB

MD5
8c80b06d843bd6a7599a5be2075d9a55

SHA1
caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

SHA256
e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

SHA512
cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si450996.exe

Filesize
136KB

MD5
8c80b06d843bd6a7599a5be2075d9a55

SHA1
caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

SHA256
e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

SHA512
cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599208.exe

Filesize
549KB

MD5
44c4e837b91446427dd95548583d4e15

SHA1
ef80a78f4b45bdba092ed0e81265e09c5f2ae622

SHA256
72c8b9eb73cd9d03460f9ab6579e21e59ffe6acd8c51dc438f713adbf8ff5412

SHA512
039fdcaa7c2982cbeceb8eeaf4f14af86aa78ed1c7e670bc513e899427ce80c44181e67c9e1ce366f25bdf119c818eaa506bb65a6342dcffbd699c07e96d516f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599208.exe

Filesize
549KB

MD5
44c4e837b91446427dd95548583d4e15

SHA1
ef80a78f4b45bdba092ed0e81265e09c5f2ae622

SHA256
72c8b9eb73cd9d03460f9ab6579e21e59ffe6acd8c51dc438f713adbf8ff5412

SHA512
039fdcaa7c2982cbeceb8eeaf4f14af86aa78ed1c7e670bc513e899427ce80c44181e67c9e1ce366f25bdf119c818eaa506bb65a6342dcffbd699c07e96d516f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr896826.exe

Filesize
277KB

MD5
5deb907122065160cd50bd3fe2a58cc8

SHA1
c5fa76e2ee887d87ba308a1d29b54a89b6926e78

SHA256
1860359da18e2bac320cf44fb86c51e080a0ac3b44052cbf20b5b59738dc7677

SHA512
4c29e5c1a0fc7acf4fec01b60b72de5df84c8b800c71b91a417fbc2fc3ef7845b63a16664b8ed99baf8bb548b45d8fa56321cfd794bf2e42599b85f7ae6005fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr896826.exe

Filesize
277KB

MD5
5deb907122065160cd50bd3fe2a58cc8

SHA1
c5fa76e2ee887d87ba308a1d29b54a89b6926e78

SHA256
1860359da18e2bac320cf44fb86c51e080a0ac3b44052cbf20b5b59738dc7677

SHA512
4c29e5c1a0fc7acf4fec01b60b72de5df84c8b800c71b91a417fbc2fc3ef7845b63a16664b8ed99baf8bb548b45d8fa56321cfd794bf2e42599b85f7ae6005fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu978019.exe

Filesize
360KB

MD5
1fae334d1139bf93b4af3cddabd60272

SHA1
bd39ff7be0ef17399193400ae538777bff1e3f9f

SHA256
510fa3a23b94b3d6a2bb9e485a2ab6e295f3612ba2ed8f6abde805da34e6b1e4

SHA512
18a550fab01f12b5778a57d36d3cad071613aecd9b350e255bbd1d0108a1ea6549c01ea39dbf9c0d009aaa623607fb1675d92009534585f3bd4a86e0e1732685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu978019.exe

Filesize
360KB

MD5
1fae334d1139bf93b4af3cddabd60272

SHA1
bd39ff7be0ef17399193400ae538777bff1e3f9f

SHA256
510fa3a23b94b3d6a2bb9e485a2ab6e295f3612ba2ed8f6abde805da34e6b1e4

SHA512
18a550fab01f12b5778a57d36d3cad071613aecd9b350e255bbd1d0108a1ea6549c01ea39dbf9c0d009aaa623607fb1675d92009534585f3bd4a86e0e1732685

Download Submit
memory/1020-998-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/1020-997-0x0000000007090000-0x00000000070DB000-memory.dmp

Filesize
300KB

Download
memory/1020-996-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/1664-219-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1664-977-0x0000000009BE0000-0x000000000A1E6000-memory.dmp

Filesize
6.0MB

Download
memory/1664-990-0x000000000B290000-0x000000000B7BC000-memory.dmp

Filesize
5.2MB

Download
memory/1664-988-0x000000000B0C0000-0x000000000B282000-memory.dmp

Filesize
1.8MB

Download
memory/1664-987-0x000000000AFD0000-0x000000000AFEE000-memory.dmp

Filesize
120KB

Download
memory/1664-986-0x000000000AF40000-0x000000000AFB6000-memory.dmp

Filesize
472KB

Download
memory/1664-985-0x000000000AEF0000-0x000000000AF40000-memory.dmp

Filesize
320KB

Download
memory/1664-984-0x000000000AD30000-0x000000000ADC2000-memory.dmp

Filesize
584KB

Download
memory/1664-983-0x000000000A670000-0x000000000A6D6000-memory.dmp

Filesize
408KB

Download
memory/1664-982-0x000000000A3E0000-0x000000000A42B000-memory.dmp

Filesize
300KB

Download
memory/1664-981-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1664-980-0x000000000A3A0000-0x000000000A3DE000-memory.dmp

Filesize
248KB

Download
memory/1664-979-0x000000000A240000-0x000000000A34A000-memory.dmp

Filesize
1.0MB

Download
memory/1664-978-0x000000000A210000-0x000000000A222000-memory.dmp

Filesize
72KB

Download
memory/1664-214-0x0000000002CE0000-0x0000000002D26000-memory.dmp

Filesize
280KB

Download
memory/1664-215-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1664-217-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1664-216-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-212-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-210-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-208-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-206-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-179-0x00000000070A0000-0x00000000070DC000-memory.dmp

Filesize
240KB

Download
memory/1664-180-0x0000000007130000-0x000000000716A000-memory.dmp

Filesize
232KB

Download
memory/1664-182-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-181-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-184-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-186-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-188-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-190-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-192-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-194-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-196-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-198-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-200-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-202-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/1664-204-0x0000000007130000-0x0000000007165000-memory.dmp

Filesize
212KB

Download
memory/3084-162-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-134-0x00000000048D0000-0x00000000048EA000-memory.dmp

Filesize
104KB

Download
memory/3084-140-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3084-172-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3084-170-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3084-171-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3084-139-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3084-169-0x0000000000400000-0x0000000002BAE000-memory.dmp

Filesize
39.7MB

Download
memory/3084-168-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-142-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-166-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-164-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-174-0x0000000000400000-0x0000000002BAE000-memory.dmp

Filesize
39.7MB

Download
memory/3084-141-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-144-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-156-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-154-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-152-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-150-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-148-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-146-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-158-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3084-138-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3084-137-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3084-136-0x0000000004C70000-0x0000000004C88000-memory.dmp

Filesize
96KB

Download
memory/3084-135-0x0000000007170000-0x000000000766E000-memory.dmp

Filesize
5.0MB

Download
memory/3084-160-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download