bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669

Analysis

max time kernel
53s
max time network
67s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/04/2023, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe
Size

746KB
MD5

34a3b125cd2f5a6fd80b588c1f7cfe2a
SHA1

a3ff9703812728a1b03d88cde4e6503d506139fb
SHA256

bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669
SHA512

615f7f4272d99936bbd2d4574c302e9bbaae9c4a4ba06431cdbc961cde18041991f0ade35aa15bab9aed6f8526605f5d1ff4cebf8ae3b886f622f5076132727f
SSDEEP

12288:0y90ENBcLijf5VoD3vF2453uxneRs6nlD43NP2nnPU1eiV:0yP/NHoD3v95Uee4kNPmnscu

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	17808084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	17808084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	17808084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	17808084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	17808084.exe

Executes dropped EXE 4 IoCs

pid	Process
2488	un440423.exe
2560	17808084.exe
3540	rk100627.exe
3052	si258388.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	17808084.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	17808084.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un440423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un440423.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2560	17808084.exe
2560	17808084.exe
3540	rk100627.exe
3540	rk100627.exe
3052	si258388.exe
3052	si258388.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	17808084.exe
Token: SeDebugPrivilege	3540	rk100627.exe
Token: SeDebugPrivilege	3052	si258388.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2488	2156	bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe	66
PID 2156 wrote to memory of 2488	2156	bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe	66
PID 2156 wrote to memory of 2488	2156	bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe	66
PID 2488 wrote to memory of 2560	2488	un440423.exe	67
PID 2488 wrote to memory of 2560	2488	un440423.exe	67
PID 2488 wrote to memory of 2560	2488	un440423.exe	67
PID 2488 wrote to memory of 3540	2488	un440423.exe	68
PID 2488 wrote to memory of 3540	2488	un440423.exe	68
PID 2488 wrote to memory of 3540	2488	un440423.exe	68
PID 2156 wrote to memory of 3052	2156	bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe	70
PID 2156 wrote to memory of 3052	2156	bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe	70
PID 2156 wrote to memory of 3052	2156	bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe	70

C:\Users\Admin\AppData\Local\Temp\bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe
"C:\Users\Admin\AppData\Local\Temp\bc27199dd969ae1fafe1424df630d63a785f4f8defbf18adcfed0690bb5ff669.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un440423.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un440423.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17808084.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17808084.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk100627.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk100627.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si258388.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si258388.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si258388.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si258388.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un440423.exe

Filesize
592KB

MD5
46e3038eb77f3c6f793f6e6c5d7991b8

SHA1
4007c46c62698e98b179bc70876da6db4465c456

SHA256
cfa720f4c2422bb9f9058edaf33c8036fcbc2e12946b7871ce3ba22aaadcce2d

SHA512
7df873d90fddf890556f99f02fe0cdf1ee7e2e7a8742fa8c448235a5d4ae2a02186a045eb15e78f33b100d3c6c707f519ebd8834711b1aecdc2f7d6d936ed251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un440423.exe

Filesize
592KB

MD5
46e3038eb77f3c6f793f6e6c5d7991b8

SHA1
4007c46c62698e98b179bc70876da6db4465c456

SHA256
cfa720f4c2422bb9f9058edaf33c8036fcbc2e12946b7871ce3ba22aaadcce2d

SHA512
7df873d90fddf890556f99f02fe0cdf1ee7e2e7a8742fa8c448235a5d4ae2a02186a045eb15e78f33b100d3c6c707f519ebd8834711b1aecdc2f7d6d936ed251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17808084.exe

Filesize
377KB

MD5
713eb6829bcee88a82d5f87b2b795d6a

SHA1
f567e6de0841c86cbe895c38d36d7c40f8d8b28d

SHA256
ae38056e61e12c2318ba7ff9cd4502e65c6c2187663e204e2c5a1e2d9bccc4a8

SHA512
1fe218afd2129b2ff82419f05257cc95776ae4d1f81b6b68beb684514533bfc50dc831192dde1841160a509c3f0b8f557b60bf71ea56711de43592ef373f1844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17808084.exe

Filesize
377KB

MD5
713eb6829bcee88a82d5f87b2b795d6a

SHA1
f567e6de0841c86cbe895c38d36d7c40f8d8b28d

SHA256
ae38056e61e12c2318ba7ff9cd4502e65c6c2187663e204e2c5a1e2d9bccc4a8

SHA512
1fe218afd2129b2ff82419f05257cc95776ae4d1f81b6b68beb684514533bfc50dc831192dde1841160a509c3f0b8f557b60bf71ea56711de43592ef373f1844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk100627.exe

Filesize
459KB

MD5
03e552647d3c269f68aac27c4073968b

SHA1
e2a5a077e4b80c60ebabe0bdea641f765c430c19

SHA256
13eb5f282dc9196986999f2e6df6eee18087a183de935bbb64f6000ff5338149

SHA512
9fc8230638d53b3757deb19ab76bfa0e3147028bb3fda8f8acc450c0aebd44038d66cdf4de8381675321a4c8688baeb1d3931cf108826d7ea5df07737d3a82aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk100627.exe

Filesize
459KB

MD5
03e552647d3c269f68aac27c4073968b

SHA1
e2a5a077e4b80c60ebabe0bdea641f765c430c19

SHA256
13eb5f282dc9196986999f2e6df6eee18087a183de935bbb64f6000ff5338149

SHA512
9fc8230638d53b3757deb19ab76bfa0e3147028bb3fda8f8acc450c0aebd44038d66cdf4de8381675321a4c8688baeb1d3931cf108826d7ea5df07737d3a82aa

Download Submit
memory/2560-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2560-137-0x0000000000B20000-0x0000000000B3A000-memory.dmp

Filesize
104KB

Download
memory/2560-138-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/2560-139-0x00000000026C0000-0x00000000026D8000-memory.dmp

Filesize
96KB

Download
memory/2560-140-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-141-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-143-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-145-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-147-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-149-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-151-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-153-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-155-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-157-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-160-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-159-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2560-162-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2560-166-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-164-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2560-163-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-168-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-170-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2560-171-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2560-173-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3052-994-0x00000000009F0000-0x0000000000A18000-memory.dmp

Filesize
160KB

Download
memory/3052-996-0x0000000007730000-0x0000000007740000-memory.dmp

Filesize
64KB

Download
memory/3052-995-0x0000000007780000-0x00000000077CB000-memory.dmp

Filesize
300KB

Download
memory/3540-181-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-432-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3540-183-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-185-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-187-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-189-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-191-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-193-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-195-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-197-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-199-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-201-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-203-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-205-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-207-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-209-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-211-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-213-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-430-0x0000000000A60000-0x0000000000AA6000-memory.dmp

Filesize
280KB

Download
memory/3540-180-0x00000000026A0000-0x00000000026D5000-memory.dmp

Filesize
212KB

Download
memory/3540-436-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3540-434-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3540-976-0x00000000077F0000-0x0000000007DF6000-memory.dmp

Filesize
6.0MB

Download
memory/3540-977-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/3540-978-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/3540-979-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3540-980-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/3540-981-0x0000000008160000-0x00000000081AB000-memory.dmp

Filesize
300KB

Download
memory/3540-982-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/3540-983-0x00000000089A0000-0x0000000008A32000-memory.dmp

Filesize
584KB

Download
memory/3540-984-0x0000000008A40000-0x0000000008AB6000-memory.dmp

Filesize
472KB

Download
memory/3540-985-0x0000000008B00000-0x0000000008CC2000-memory.dmp

Filesize
1.8MB

Download
memory/3540-179-0x00000000026A0000-0x00000000026DA000-memory.dmp

Filesize
232KB

Download
memory/3540-178-0x00000000024B0000-0x00000000024EC000-memory.dmp

Filesize
240KB

Download
memory/3540-986-0x0000000008CE0000-0x000000000920C000-memory.dmp

Filesize
5.2MB

Download
memory/3540-987-0x0000000009340000-0x000000000935E000-memory.dmp

Filesize
120KB

Download
memory/3540-988-0x0000000004990000-0x00000000049E0000-memory.dmp

Filesize
320KB

Download