616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e

Analysis

max time kernel
61s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2023, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe
Size

746KB
MD5

2a54fa09f25190bf14c9e6dcc015273e
SHA1

0ed74e2289cff8afa604937872b38b5f3ef1b14c
SHA256

616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e
SHA512

54bc94e015d39530fc637b585a0f2c2c1123e752a9fc3106cf69f6bab15d958ee6faadaa399ec3a8c808ec153e77ea4ff2b533c5f8cbcc31c1dbff114a2402cc
SSDEEP

12288:ey90JydEBfhEMkt5RSRYmsqIZz1nrSKeFyOHwUbn4waRi9G0gK8v:eyqxhKt5sIlZzV/nuHbnZCi9av

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	11591981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	11591981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	11591981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	11591981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	11591981.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	11591981.exe

Executes dropped EXE 4 IoCs

pid	Process
1612	un431371.exe
4464	11591981.exe
4668	rk883857.exe
2948	si536001.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	11591981.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	11591981.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un431371.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un431371.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4464	11591981.exe
4464	11591981.exe
4668	rk883857.exe
4668	rk883857.exe
2948	si536001.exe
2948	si536001.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	11591981.exe
Token: SeDebugPrivilege	4668	rk883857.exe
Token: SeDebugPrivilege	2948	si536001.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 1612	4632	616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe	84
PID 4632 wrote to memory of 1612	4632	616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe	84
PID 4632 wrote to memory of 1612	4632	616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe	84
PID 1612 wrote to memory of 4464	1612	un431371.exe	85
PID 1612 wrote to memory of 4464	1612	un431371.exe	85
PID 1612 wrote to memory of 4464	1612	un431371.exe	85
PID 1612 wrote to memory of 4668	1612	un431371.exe	86
PID 1612 wrote to memory of 4668	1612	un431371.exe	86
PID 1612 wrote to memory of 4668	1612	un431371.exe	86
PID 4632 wrote to memory of 2948	4632	616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe	87
PID 4632 wrote to memory of 2948	4632	616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe	87
PID 4632 wrote to memory of 2948	4632	616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe	87

C:\Users\Admin\AppData\Local\Temp\616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe
"C:\Users\Admin\AppData\Local\Temp\616cac36f70ec3dedd8efbcc2ecb7b1969db02f542fd4478e6b3c1005f2d4f0e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un431371.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un431371.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11591981.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11591981.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk883857.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk883857.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si536001.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si536001.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si536001.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si536001.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un431371.exe

Filesize
592KB

MD5
5d98f81dfc6e51bc8958748970342985

SHA1
0b00270a14ab652020b5d3548bc625d14e92d9f6

SHA256
b71a8706cfa581aa99fc8ea9a78c0650a7090694a1d93dd7d1da0bc05a94a645

SHA512
5a16b750360c818521a0f89ca521e24d63976dd04c27d604bdc2c32f6931c1bdddf055b80d3df9b776b611aafc454b5ff0c5079b98fb23bf7af91041eda3ecac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un431371.exe

Filesize
592KB

MD5
5d98f81dfc6e51bc8958748970342985

SHA1
0b00270a14ab652020b5d3548bc625d14e92d9f6

SHA256
b71a8706cfa581aa99fc8ea9a78c0650a7090694a1d93dd7d1da0bc05a94a645

SHA512
5a16b750360c818521a0f89ca521e24d63976dd04c27d604bdc2c32f6931c1bdddf055b80d3df9b776b611aafc454b5ff0c5079b98fb23bf7af91041eda3ecac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11591981.exe

Filesize
377KB

MD5
100b0df6419ae21842a063e5a87b3df6

SHA1
fa865cbbe1cbb8746153fe027a3c862d850398ba

SHA256
2208fa0c7550ecb4aac00120e403c1d4b6722829051985495b3b99b1484951ab

SHA512
5a7feb9cd7c5bf7096581edba9bea0b224e7abcb314bf868e14a316aa31a2a4d0c87963fa3f1bcd9b2a91b7878b8a2e9396157d130f4d985f0c7241cd0897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11591981.exe

Filesize
377KB

MD5
100b0df6419ae21842a063e5a87b3df6

SHA1
fa865cbbe1cbb8746153fe027a3c862d850398ba

SHA256
2208fa0c7550ecb4aac00120e403c1d4b6722829051985495b3b99b1484951ab

SHA512
5a7feb9cd7c5bf7096581edba9bea0b224e7abcb314bf868e14a316aa31a2a4d0c87963fa3f1bcd9b2a91b7878b8a2e9396157d130f4d985f0c7241cd0897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk883857.exe

Filesize
459KB

MD5
0b1cf03d318a2c300e4524a86018c75f

SHA1
0be54482a636babb74af98d52306906d363299f5

SHA256
938ded8651601ff5b16c886c952a421acde5661a453e69e4508e64403294f749

SHA512
7146177982518f4b450bed1dbbe86a536479b9e2bbe28e9ce6fd44382d4f715c1308e31b553ec550fdd9295ce2fc29db6868521ea4153e41240eb90829ed17ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk883857.exe

Filesize
459KB

MD5
0b1cf03d318a2c300e4524a86018c75f

SHA1
0be54482a636babb74af98d52306906d363299f5

SHA256
938ded8651601ff5b16c886c952a421acde5661a453e69e4508e64403294f749

SHA512
7146177982518f4b450bed1dbbe86a536479b9e2bbe28e9ce6fd44382d4f715c1308e31b553ec550fdd9295ce2fc29db6868521ea4153e41240eb90829ed17ec

Download Submit
memory/2948-1003-0x0000000007820000-0x0000000007830000-memory.dmp

Filesize
64KB

Download
memory/2948-1002-0x0000000000A00000-0x0000000000A28000-memory.dmp

Filesize
160KB

Download
memory/4464-159-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-169-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-151-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-153-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-155-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-157-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-149-0x0000000005110000-0x00000000056B4000-memory.dmp

Filesize
5.6MB

Download
memory/4464-161-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-163-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-165-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-167-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-150-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-171-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-173-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-175-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-177-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4464-178-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4464-179-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4464-180-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4464-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4464-183-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4464-184-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4464-148-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/4668-190-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-220-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-194-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/4668-196-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-197-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/4668-193-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-199-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/4668-200-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-202-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-204-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-206-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-208-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-210-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-212-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-214-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-216-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-218-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-192-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/4668-222-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-224-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-226-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-985-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/4668-986-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4668-987-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4668-988-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4668-989-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/4668-990-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4668-991-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/4668-992-0x0000000008B20000-0x0000000008B70000-memory.dmp

Filesize
320KB

Download
memory/4668-993-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/4668-189-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4668-994-0x0000000008D40000-0x0000000008D5E000-memory.dmp

Filesize
120KB

Download
memory/4668-995-0x0000000008E60000-0x0000000009022000-memory.dmp

Filesize
1.8MB

Download
memory/4668-996-0x0000000009230000-0x000000000975C000-memory.dmp

Filesize
5.2MB

Download