babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2023, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe
Size

746KB
MD5

20a1620b80e7195bd87d4f9449a096b0
SHA1

8a8377b212e72f1d4725588f8ab8157475f48bc6
SHA256

babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca
SHA512

1820e0d346f9b97719bbc6433809f0a2c91fe94163f55819cdcd54f041d79fd8cbb3cf050c80d0ae2aac8f40e60110bdc47fd87e6db0dabe3187d96d44388572
SSDEEP

12288:oy90qiNx1G5ardtVEEflAV5f1AzMLLUxT68aqXfSgHhaVKTErHwzy:oy8Nx1saxEENu5CzMEwPqXfHAYAD

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	16663248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	16663248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	16663248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	16663248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	16663248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	16663248.exe

Executes dropped EXE 4 IoCs

pid	Process
444	un452860.exe
3704	16663248.exe
4596	rk366989.exe
3416	si632642.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	16663248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	16663248.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un452860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un452860.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3956	3704	WerFault.exe	84
4880	4596	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3704	16663248.exe
3704	16663248.exe
4596	rk366989.exe
4596	rk366989.exe
3416	si632642.exe
3416	si632642.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	16663248.exe
Token: SeDebugPrivilege	4596	rk366989.exe
Token: SeDebugPrivilege	3416	si632642.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 444	3576	babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe	83
PID 3576 wrote to memory of 444	3576	babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe	83
PID 3576 wrote to memory of 444	3576	babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe	83
PID 444 wrote to memory of 3704	444	un452860.exe	84
PID 444 wrote to memory of 3704	444	un452860.exe	84
PID 444 wrote to memory of 3704	444	un452860.exe	84
PID 444 wrote to memory of 4596	444	un452860.exe	87
PID 444 wrote to memory of 4596	444	un452860.exe	87
PID 444 wrote to memory of 4596	444	un452860.exe	87
PID 3576 wrote to memory of 3416	3576	babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe	90
PID 3576 wrote to memory of 3416	3576	babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe	90
PID 3576 wrote to memory of 3416	3576	babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe	90

C:\Users\Admin\AppData\Local\Temp\babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe
"C:\Users\Admin\AppData\Local\Temp\babcef242e77d37d71d6559fffd833a5d483b752fbfe8dfc379757e4f53510ca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un452860.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un452860.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16663248.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16663248.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1080
      4⤵
      Program crash
      PID:3956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366989.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366989.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1320
      4⤵
      Program crash
      PID:4880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si632642.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si632642.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3704 -ip 3704
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4596 -ip 4596
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si632642.exe

Filesize
136KB

MD5
ace73b2b1f835de11594ea9a243a9f5c

SHA1
2f929d1f69784fbe499a95b064679a16947bdd84

SHA256
7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49

SHA512
024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si632642.exe

Filesize
136KB

MD5
ace73b2b1f835de11594ea9a243a9f5c

SHA1
2f929d1f69784fbe499a95b064679a16947bdd84

SHA256
7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49

SHA512
024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un452860.exe

Filesize
592KB

MD5
de80f99a05b1fc044b1ee8b5faf92643

SHA1
7a15258ab971b847d163915397981b648cc2d2f3

SHA256
451405539a3320ea276c695d2f83b17682e4235d17424588b4e2105d789ccdfe

SHA512
92756be909947be45cfd3e16127353eb1d7f206e2c88be123ace89e5472187e1fb74b82b9ee097459601586274d657b1bb8fc38a9d65468b0dce6e4c4c74a737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un452860.exe

Filesize
592KB

MD5
de80f99a05b1fc044b1ee8b5faf92643

SHA1
7a15258ab971b847d163915397981b648cc2d2f3

SHA256
451405539a3320ea276c695d2f83b17682e4235d17424588b4e2105d789ccdfe

SHA512
92756be909947be45cfd3e16127353eb1d7f206e2c88be123ace89e5472187e1fb74b82b9ee097459601586274d657b1bb8fc38a9d65468b0dce6e4c4c74a737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16663248.exe

Filesize
376KB

MD5
7908a08283761071411f64589908125b

SHA1
c525ed3a303ba585b1b40aa19a8308407962f182

SHA256
d7fe16ec988db4cbc666298ebf9e6cdb747ced14802baf45b4c802fe7381d67e

SHA512
ae96f1aca877a0f4c41d07f9604348e18fde63556c821d4578943b906979727c7231e98edb63a0e6b987ac6e4dfff8b7a70e55b32cf8d72544670a6f2a21c6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16663248.exe

Filesize
376KB

MD5
7908a08283761071411f64589908125b

SHA1
c525ed3a303ba585b1b40aa19a8308407962f182

SHA256
d7fe16ec988db4cbc666298ebf9e6cdb747ced14802baf45b4c802fe7381d67e

SHA512
ae96f1aca877a0f4c41d07f9604348e18fde63556c821d4578943b906979727c7231e98edb63a0e6b987ac6e4dfff8b7a70e55b32cf8d72544670a6f2a21c6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366989.exe

Filesize
459KB

MD5
f8ae633725f01b6c1e5a1e5321427565

SHA1
815cf4c98adac036847c905b9dbb7165bab6a95d

SHA256
3fc7487cf329ba50259d284314410f8bd39e5dea76ddf02fb0cb1e152a4351de

SHA512
018493e32f754f87847811785a350bbdf1c3eff472e18c0ffb2f78d638e19ece162afe20ac10126b9cb1691e1a39ba1f7b1d968a4c618243b2a9d8b1c321e8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366989.exe

Filesize
459KB

MD5
f8ae633725f01b6c1e5a1e5321427565

SHA1
815cf4c98adac036847c905b9dbb7165bab6a95d

SHA256
3fc7487cf329ba50259d284314410f8bd39e5dea76ddf02fb0cb1e152a4351de

SHA512
018493e32f754f87847811785a350bbdf1c3eff472e18c0ffb2f78d638e19ece162afe20ac10126b9cb1691e1a39ba1f7b1d968a4c618243b2a9d8b1c321e8b8

Download Submit
memory/3416-1005-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/3416-1006-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/3704-187-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3704-150-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-151-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-153-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-155-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-157-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-159-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-161-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-163-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-165-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-167-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-169-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-171-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-173-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-175-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-177-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/3704-178-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3704-179-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3704-180-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3704-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3704-183-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3704-184-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3704-185-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3704-186-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3704-149-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/3704-148-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/4596-199-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-547-0x0000000000950000-0x0000000000996000-memory.dmp

Filesize
280KB

Download
memory/4596-197-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-193-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-201-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-203-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-205-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-207-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-209-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-211-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-213-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-215-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-217-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-219-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-221-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-223-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-225-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-195-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-549-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4596-551-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4596-553-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4596-988-0x0000000007B90000-0x00000000081A8000-memory.dmp

Filesize
6.1MB

Download
memory/4596-989-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/4596-990-0x00000000081B0000-0x00000000082BA000-memory.dmp

Filesize
1.0MB

Download
memory/4596-991-0x00000000028E0000-0x000000000291C000-memory.dmp

Filesize
240KB

Download
memory/4596-992-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4596-993-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/4596-994-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/4596-995-0x0000000008C40000-0x0000000008C90000-memory.dmp

Filesize
320KB

Download
memory/4596-996-0x0000000008C90000-0x0000000008D06000-memory.dmp

Filesize
472KB

Download
memory/4596-192-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4596-997-0x0000000008D40000-0x0000000008D5E000-memory.dmp

Filesize
120KB

Download
memory/4596-998-0x0000000008E60000-0x0000000009022000-memory.dmp

Filesize
1.8MB

Download
memory/4596-999-0x0000000009030000-0x000000000955C000-memory.dmp

Filesize
5.2MB

Download