335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe
Size

694KB
MD5

15f84eca217b2ef590adf68e070cc663
SHA1

0c7298c0100be5fa4df73b30931ac1c975f6b125
SHA256

335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc
SHA512

e3b42fc7a9e1e9990a2ace84ef6060c5bf39808ae6dc040e802e0e95fed811aff2a5f789e687796456cd4a78b85ce011f0ac3d05f3417247803b7b285370aebc
SSDEEP

12288:ky90qf2x2o7GnphW4ZDyTj0wa8AIZVa38iLdDiJufdkLxksVq3SbZeTr8JDr4db:kyV2x20GnPZDRwwILgVf0ksbZ4Iudb

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	35259769.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	35259769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	35259769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	35259769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	35259769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	35259769.exe

Executes dropped EXE 4 IoCs

pid	Process
2848	un728620.exe
1292	35259769.exe
3892	rk600020.exe
1168	si224967.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	35259769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	35259769.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un728620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un728620.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
628	1292	WerFault.exe	85
4880	3892	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1292	35259769.exe
1292	35259769.exe
3892	rk600020.exe
3892	rk600020.exe
1168	si224967.exe
1168	si224967.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	35259769.exe
Token: SeDebugPrivilege	3892	rk600020.exe
Token: SeDebugPrivilege	1168	si224967.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2848	4264	335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe	84
PID 4264 wrote to memory of 2848	4264	335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe	84
PID 4264 wrote to memory of 2848	4264	335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe	84
PID 2848 wrote to memory of 1292	2848	un728620.exe	85
PID 2848 wrote to memory of 1292	2848	un728620.exe	85
PID 2848 wrote to memory of 1292	2848	un728620.exe	85
PID 2848 wrote to memory of 3892	2848	un728620.exe	91
PID 2848 wrote to memory of 3892	2848	un728620.exe	91
PID 2848 wrote to memory of 3892	2848	un728620.exe	91
PID 4264 wrote to memory of 1168	4264	335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe	94
PID 4264 wrote to memory of 1168	4264	335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe	94
PID 4264 wrote to memory of 1168	4264	335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe	94

C:\Users\Admin\AppData\Local\Temp\335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe
"C:\Users\Admin\AppData\Local\Temp\335c0e036d75d3912e99386d01f0e26f5e4b3e4ea2a638c2fe1526a3219977bc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un728620.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un728620.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35259769.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35259769.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1096
      4⤵
      Program crash
      PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk600020.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk600020.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1324
      4⤵
      Program crash
      PID:4880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si224967.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si224967.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1292 -ip 1292
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3892 -ip 3892
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si224967.exe

Filesize
136KB

MD5
73cae2858379cab7e68b9e5bf751c372

SHA1
38c375354bda6e5c8fb2579f1ef0416a6c65929a

SHA256
e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

SHA512
343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si224967.exe

Filesize
136KB

MD5
73cae2858379cab7e68b9e5bf751c372

SHA1
38c375354bda6e5c8fb2579f1ef0416a6c65929a

SHA256
e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

SHA512
343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un728620.exe

Filesize
540KB

MD5
54a77666cfb6bd3f43017eafd156aeda

SHA1
d3bcffcae12e277f74cd59a60662640b29abd13b

SHA256
d755343ced214043d3b7d8a2d6bd12c65514fa4f3b197b90ec87d195f3270c1b

SHA512
c50ba883732c4338e23ef19ee6329b443f1221a0d456bd0ff3d21caa8075389a9d7b28baf4958db22ad8e5a935911afa3a3deaaa15d863a9c33db5aeb6cbea68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un728620.exe

Filesize
540KB

MD5
54a77666cfb6bd3f43017eafd156aeda

SHA1
d3bcffcae12e277f74cd59a60662640b29abd13b

SHA256
d755343ced214043d3b7d8a2d6bd12c65514fa4f3b197b90ec87d195f3270c1b

SHA512
c50ba883732c4338e23ef19ee6329b443f1221a0d456bd0ff3d21caa8075389a9d7b28baf4958db22ad8e5a935911afa3a3deaaa15d863a9c33db5aeb6cbea68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35259769.exe

Filesize
257KB

MD5
49d9ed711325edf43d82d25d02f60bdd

SHA1
4181260cc611a8acecf1f32632fe4e0976c43972

SHA256
ae0a293df9db12579c4f8b36dbadbb39669737bfac3566cfb10bbf3888f6ac47

SHA512
f9caa34dfe892219fec00ab18fe1bb7def80ff3797093aab7eb0f0898452e770426cb2f71b79a46dedc8e3c786f900bb7da2c28f580cdaf0fd4551b01dd8bebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35259769.exe

Filesize
257KB

MD5
49d9ed711325edf43d82d25d02f60bdd

SHA1
4181260cc611a8acecf1f32632fe4e0976c43972

SHA256
ae0a293df9db12579c4f8b36dbadbb39669737bfac3566cfb10bbf3888f6ac47

SHA512
f9caa34dfe892219fec00ab18fe1bb7def80ff3797093aab7eb0f0898452e770426cb2f71b79a46dedc8e3c786f900bb7da2c28f580cdaf0fd4551b01dd8bebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk600020.exe

Filesize
340KB

MD5
70d0f580d964bcbe318d353d69829053

SHA1
08066ba77a016a8329992ce0d8d1eee8b32f41e4

SHA256
3b012e4ff3cca7ab739171ea9703cb94590ccd2fba81cc748ec91e9f4be1f318

SHA512
8d52550724299dd4d7448fa0469a1a9264df5284488de65e675a584c47a42dc25448f2526e7b596238a9c6f6aaee9cea07f3f38305cd49efdc6e2bbe033275ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk600020.exe

Filesize
340KB

MD5
70d0f580d964bcbe318d353d69829053

SHA1
08066ba77a016a8329992ce0d8d1eee8b32f41e4

SHA256
3b012e4ff3cca7ab739171ea9703cb94590ccd2fba81cc748ec91e9f4be1f318

SHA512
8d52550724299dd4d7448fa0469a1a9264df5284488de65e675a584c47a42dc25448f2526e7b596238a9c6f6aaee9cea07f3f38305cd49efdc6e2bbe033275ba

Download Submit
memory/1168-1004-0x0000000000EA0000-0x0000000000EC8000-memory.dmp

Filesize
160KB

Download
memory/1168-1005-0x0000000007FA0000-0x0000000007FB0000-memory.dmp

Filesize
64KB

Download
memory/1292-157-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-167-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-151-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1292-152-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-153-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-155-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-149-0x0000000002DF0000-0x0000000002E1D000-memory.dmp

Filesize
180KB

Download
memory/1292-159-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-165-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-163-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-161-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-150-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1292-169-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-171-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-173-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-175-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-177-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-179-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/1292-180-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1292-181-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1292-182-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1292-183-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1292-185-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1292-148-0x00000000072B0000-0x0000000007854000-memory.dmp

Filesize
5.6MB

Download
memory/3892-191-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-193-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-195-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-197-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-199-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-201-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-203-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-207-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-205-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-209-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-211-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-212-0x0000000002E20000-0x0000000002E66000-memory.dmp

Filesize
280KB

Download
memory/3892-214-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3892-215-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-216-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3892-219-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-218-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3892-221-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-225-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-223-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-227-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-986-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/3892-987-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/3892-988-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/3892-989-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/3892-990-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3892-991-0x000000000A740000-0x000000000A7A6000-memory.dmp

Filesize
408KB

Download
memory/3892-992-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/3892-993-0x000000000AFC0000-0x000000000B036000-memory.dmp

Filesize
472KB

Download
memory/3892-994-0x000000000B080000-0x000000000B09E000-memory.dmp

Filesize
120KB

Download
memory/3892-190-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/3892-995-0x000000000B190000-0x000000000B352000-memory.dmp

Filesize
1.8MB

Download
memory/3892-996-0x000000000B560000-0x000000000BA8C000-memory.dmp

Filesize
5.2MB

Download
memory/3892-997-0x0000000004B30000-0x0000000004B80000-memory.dmp

Filesize
320KB

Download