9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2023, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe
Size

746KB
MD5

08008a73e5e2d40e0806517c0824bd23
SHA1

3a96825bf3c30f84e93d87361aa2fff72edd5ab4
SHA256

9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90
SHA512

5f4b8b2a2231e2459cff33cb1d0f094c10c37d0dafeda3ada57b8290df0fc8fcd55e9c4dfd16866dd68f5227c9976eebe9ced2a9d1680c41ae654f07853ce37f
SSDEEP

12288:fy90h8YZyAs57z5BlXGjoaMxpV58a/uP96fOBSbLVl/MCEnfRD6qli4bNPeKSrXK:fyYNnsh9z0UxKTPaOBSfVRufVZfNP2xo

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	00349258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	00349258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	00349258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	00349258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	00349258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	00349258.exe

Executes dropped EXE 4 IoCs

pid	Process
2136	un217140.exe
4620	00349258.exe
3968	rk093468.exe
4760	si205111.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	00349258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	00349258.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un217140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un217140.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
636	4620	WerFault.exe	86
4888	3968	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4620	00349258.exe
4620	00349258.exe
3968	rk093468.exe
3968	rk093468.exe
4760	si205111.exe
4760	si205111.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	00349258.exe
Token: SeDebugPrivilege	3968	rk093468.exe
Token: SeDebugPrivilege	4760	si205111.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2136	4192	9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe	85
PID 4192 wrote to memory of 2136	4192	9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe	85
PID 4192 wrote to memory of 2136	4192	9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe	85
PID 2136 wrote to memory of 4620	2136	un217140.exe	86
PID 2136 wrote to memory of 4620	2136	un217140.exe	86
PID 2136 wrote to memory of 4620	2136	un217140.exe	86
PID 2136 wrote to memory of 3968	2136	un217140.exe	92
PID 2136 wrote to memory of 3968	2136	un217140.exe	92
PID 2136 wrote to memory of 3968	2136	un217140.exe	92
PID 4192 wrote to memory of 4760	4192	9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe	95
PID 4192 wrote to memory of 4760	4192	9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe	95
PID 4192 wrote to memory of 4760	4192	9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe	95

C:\Users\Admin\AppData\Local\Temp\9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe
"C:\Users\Admin\AppData\Local\Temp\9df0f1e17abe253894a6476ec513225f6f87d0b2ba1308720d398b8087e3bf90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un217140.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un217140.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\00349258.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\00349258.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1080
      4⤵
      Program crash
      PID:636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk093468.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk093468.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1328
      4⤵
      Program crash
      PID:4888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si205111.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si205111.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4620 -ip 4620
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3968 -ip 3968
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si205111.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si205111.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un217140.exe

Filesize
592KB

MD5
e53796b8f59339e92e19fd7c76137c73

SHA1
e3fd1b0f4f44b341164bed00a7d6a8af0f7acfde

SHA256
9357d6e3bffe8984eea0f9e4b2ef989e0252bde0f8738f62c9e967e592acfee4

SHA512
728beb0257589a63c7ea669ea1b2185c3b7c4e6d663d7eb3680159e0a72004a144ab50d60fd827a132ed2fb2ef216baffdf8ef2ddbbc29a6b3f0e0ae025051d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un217140.exe

Filesize
592KB

MD5
e53796b8f59339e92e19fd7c76137c73

SHA1
e3fd1b0f4f44b341164bed00a7d6a8af0f7acfde

SHA256
9357d6e3bffe8984eea0f9e4b2ef989e0252bde0f8738f62c9e967e592acfee4

SHA512
728beb0257589a63c7ea669ea1b2185c3b7c4e6d663d7eb3680159e0a72004a144ab50d60fd827a132ed2fb2ef216baffdf8ef2ddbbc29a6b3f0e0ae025051d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\00349258.exe

Filesize
377KB

MD5
16f37be95c5efc3f3399f489f4e6cd32

SHA1
01a666145116d33f97400a1180b3d9e3afd9bf4b

SHA256
da6bff0262e40d33a77d7f0a703394058149148983ede24a0cef59a777d36c0f

SHA512
64a6c5d639d2f05828ebe017dabd76984c00fd74ca6a1d06e419a62347822dba1d7c49a75199a95387baa86444df34c6fc8fe8b2ec228718dbb7545c7d86d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\00349258.exe

Filesize
377KB

MD5
16f37be95c5efc3f3399f489f4e6cd32

SHA1
01a666145116d33f97400a1180b3d9e3afd9bf4b

SHA256
da6bff0262e40d33a77d7f0a703394058149148983ede24a0cef59a777d36c0f

SHA512
64a6c5d639d2f05828ebe017dabd76984c00fd74ca6a1d06e419a62347822dba1d7c49a75199a95387baa86444df34c6fc8fe8b2ec228718dbb7545c7d86d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk093468.exe

Filesize
459KB

MD5
0ea4861e9cb228b3dfae1dc0c2d5b36c

SHA1
258b6e767f9434dd11d624d25f8698de934e329e

SHA256
24937c09017382c69e5e8c3280ba92a7fbe605a27bb70f6bf1afc9c5e2e4a53b

SHA512
18aaa5d54c2de751e48b9d510c40969f038f30f6aa2b8f50fde4c74cfe72859930a968444ce0a8650b6abec99289f31f81db9e2e388489921335efcb634484ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk093468.exe

Filesize
459KB

MD5
0ea4861e9cb228b3dfae1dc0c2d5b36c

SHA1
258b6e767f9434dd11d624d25f8698de934e329e

SHA256
24937c09017382c69e5e8c3280ba92a7fbe605a27bb70f6bf1afc9c5e2e4a53b

SHA512
18aaa5d54c2de751e48b9d510c40969f038f30f6aa2b8f50fde4c74cfe72859930a968444ce0a8650b6abec99289f31f81db9e2e388489921335efcb634484ef

Download Submit
memory/3968-224-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-985-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/3968-996-0x0000000004920000-0x0000000004970000-memory.dmp

Filesize
320KB

Download
memory/3968-995-0x0000000009570000-0x000000000958E000-memory.dmp

Filesize
120KB

Download
memory/3968-994-0x0000000008F30000-0x000000000945C000-memory.dmp

Filesize
5.2MB

Download
memory/3968-993-0x0000000008D60000-0x0000000008F22000-memory.dmp

Filesize
1.8MB

Download
memory/3968-992-0x0000000008C80000-0x0000000008CF6000-memory.dmp

Filesize
472KB

Download
memory/3968-991-0x0000000008BB0000-0x0000000008C42000-memory.dmp

Filesize
584KB

Download
memory/3968-990-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/3968-989-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/3968-988-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/3968-987-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/3968-986-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3968-226-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-222-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/3968-221-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-214-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-217-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/3968-219-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/3968-218-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-215-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/3968-190-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-192-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-189-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-194-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-196-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-198-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-200-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-202-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-204-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-206-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-208-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-210-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3968-212-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4620-172-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-149-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/4620-184-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4620-182-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4620-181-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4620-180-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4620-150-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4620-179-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4620-178-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-154-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-176-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-174-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-152-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-168-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-151-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-166-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-164-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-162-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-160-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-158-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-156-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-170-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/4620-148-0x0000000004F90000-0x0000000005534000-memory.dmp

Filesize
5.6MB

Download
memory/4760-1002-0x0000000000DD0000-0x0000000000DF8000-memory.dmp

Filesize
160KB

Download
memory/4760-1003-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download