d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349

Analysis

max time kernel
93s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2023, 21:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
Size

746KB
MD5

f5196113a822fecf2f0dfaec034700fc
SHA1

f8b869f2f6bdb056dee305c9e0b9a06f4eb9e9fd
SHA256

d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349
SHA512

0240a94afe8f36f0f32b27cf82bcd7dbfc9562bb0855b2afbfe6a5cfec525576def9f6b602281e51bd5fb70b792e64231ca77206237c0b0d2a28b981a48e670b
SSDEEP

12288:zy906RYszDOrW9NDA740J1CUemRbgDi3FU9mFWmaJbB4wylQxXQnzDgo:zy7zyrv740JRgDiVU9APMbBZylCXU

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	12111206.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	12111206.exe

Executes dropped EXE 4 IoCs

pid	Process
1860	un482102.exe
4264	12111206.exe
5020	rk804851.exe
2128	si899925.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	12111206.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un482102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un482102.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4264	12111206.exe
4264	12111206.exe
5020	rk804851.exe
5020	rk804851.exe
2128	si899925.exe
2128	si899925.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	12111206.exe
Token: SeDebugPrivilege	5020	rk804851.exe
Token: SeDebugPrivilege	2128	si899925.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1860	1384	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	84
PID 1384 wrote to memory of 1860	1384	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	84
PID 1384 wrote to memory of 1860	1384	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	84
PID 1860 wrote to memory of 4264	1860	un482102.exe	85
PID 1860 wrote to memory of 4264	1860	un482102.exe	85
PID 1860 wrote to memory of 4264	1860	un482102.exe	85
PID 1860 wrote to memory of 5020	1860	un482102.exe	93
PID 1860 wrote to memory of 5020	1860	un482102.exe	93
PID 1860 wrote to memory of 5020	1860	un482102.exe	93
PID 1384 wrote to memory of 2128	1384	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	94
PID 1384 wrote to memory of 2128	1384	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	94
PID 1384 wrote to memory of 2128	1384	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	94

C:\Users\Admin\AppData\Local\Temp\d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
"C:\Users\Admin\AppData\Local\Temp\d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si899925.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si899925.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si899925.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si899925.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe

Filesize
592KB

MD5
830af7bf9007d60863ffa536f8aec7f7

SHA1
e701215cc5733f9f74565230a9ff2caf4bc73e53

SHA256
d01b1f86e587f33306fa675b14b115c8ca35a55e5c76da58415f413c468e5cb9

SHA512
f28ea5e9d26c802276a730b5cdd497c3bf17772c8a072fd64d1bed4d69783afc1c6efdd2b394473d19e2aaad45dbd75dd94b3919ecb484ca41971de07faad9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe

Filesize
592KB

MD5
830af7bf9007d60863ffa536f8aec7f7

SHA1
e701215cc5733f9f74565230a9ff2caf4bc73e53

SHA256
d01b1f86e587f33306fa675b14b115c8ca35a55e5c76da58415f413c468e5cb9

SHA512
f28ea5e9d26c802276a730b5cdd497c3bf17772c8a072fd64d1bed4d69783afc1c6efdd2b394473d19e2aaad45dbd75dd94b3919ecb484ca41971de07faad9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe

Filesize
377KB

MD5
55b0b7ab8dc08b5c680d49a5cd68e276

SHA1
a8e7063a2771962f93eb242420d8dec0baa3a92e

SHA256
6679c0e7c1d4e4aab1037d79c1e4e1b6c76fa1da348d3a1d070ca28dc729d737

SHA512
e54fc0ba0e9fa9a6a0430ca44c53d1ec8a3ea5a58115b867f4c103fc8448db05b2f05913c8f16254676f4ad99c878703a435abc7c8c65ad2604775dc2f113b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe

Filesize
377KB

MD5
55b0b7ab8dc08b5c680d49a5cd68e276

SHA1
a8e7063a2771962f93eb242420d8dec0baa3a92e

SHA256
6679c0e7c1d4e4aab1037d79c1e4e1b6c76fa1da348d3a1d070ca28dc729d737

SHA512
e54fc0ba0e9fa9a6a0430ca44c53d1ec8a3ea5a58115b867f4c103fc8448db05b2f05913c8f16254676f4ad99c878703a435abc7c8c65ad2604775dc2f113b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe

Filesize
459KB

MD5
3a5088d5f067927d3f4b5f8f23a15d4a

SHA1
501ce588de552a238246cffc26be1eb2e94b1721

SHA256
a8e1cbef27b34c1caba1275cce8709bb940e4f880f34daa7a0cf6c597e671225

SHA512
3374eca93d951640dc2531916bd4b32dc9e18b010f5c0e6601f64f34890c64c9f95d06c87018c55262a3a4f42790ba1207c4bff380239d3a0dbad934b3ed3949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe

Filesize
459KB

MD5
3a5088d5f067927d3f4b5f8f23a15d4a

SHA1
501ce588de552a238246cffc26be1eb2e94b1721

SHA256
a8e1cbef27b34c1caba1275cce8709bb940e4f880f34daa7a0cf6c597e671225

SHA512
3374eca93d951640dc2531916bd4b32dc9e18b010f5c0e6601f64f34890c64c9f95d06c87018c55262a3a4f42790ba1207c4bff380239d3a0dbad934b3ed3949

Download Submit
memory/2128-1005-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/2128-1006-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/4264-161-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-173-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-151-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-155-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-157-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-159-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-150-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-163-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-165-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-167-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-170-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/4264-169-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-174-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/4264-153-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-171-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/4264-176-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-178-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-180-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4264-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4264-182-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/4264-183-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/4264-184-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/4264-186-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4264-149-0x0000000004E10000-0x00000000053B4000-memory.dmp

Filesize
5.6MB

Download
memory/4264-148-0x0000000000A20000-0x0000000000A4D000-memory.dmp

Filesize
180KB

Download
memory/5020-194-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-196-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-198-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-200-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-202-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-204-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-206-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-208-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-210-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-212-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-214-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-216-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-218-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-220-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-222-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-224-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-254-0x0000000000A60000-0x0000000000AA6000-memory.dmp

Filesize
280KB

Download
memory/5020-258-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5020-259-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5020-255-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5020-987-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/5020-988-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/5020-989-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/5020-990-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/5020-991-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5020-992-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/5020-993-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/5020-994-0x0000000008B40000-0x0000000008BB6000-memory.dmp

Filesize
472KB

Download
memory/5020-995-0x0000000008C20000-0x0000000008DE2000-memory.dmp

Filesize
1.8MB

Download
memory/5020-996-0x0000000008DF0000-0x000000000931C000-memory.dmp

Filesize
5.2MB

Download
memory/5020-191-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-192-0x00000000053B0000-0x00000000053E5000-memory.dmp

Filesize
212KB

Download
memory/5020-997-0x00000000093A0000-0x00000000093BE000-memory.dmp

Filesize
120KB

Download
memory/5020-998-0x00000000026B0000-0x0000000002700000-memory.dmp

Filesize
320KB

Download