d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe
Size

747KB
MD5

fb8343c5f4c019f0a1f6737ccf275c8d
SHA1

4ac7e3cbb24dd8943185145f5ab63f2771ec0eb8
SHA256

d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243
SHA512

b54ee8a4c494355590a72420c6b6fd168adf808e2a7279dd1361dc600d9f4c0de2767478a6d724ea56f806c4033a140225f54b870f3b7763054d8cd6fe4412d5
SSDEEP

12288:fy90QYDhFBBKIz/LlYn8OnCe0X/Z1easbQWVUJlO4FNP7RdFK68N+H/0:fynYDhFBNzBY8OH0DqhVSNNPldFgz

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	84825644.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	84825644.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	84825644.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	84825644.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	84825644.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	84825644.exe

Executes dropped EXE 4 IoCs

pid	Process
4312	un486855.exe
4636	84825644.exe
4684	rk763028.exe
3884	si275732.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	84825644.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	84825644.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un486855.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un486855.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3940	4636	WerFault.exe	82
4292	4684	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4636	84825644.exe
4636	84825644.exe
4684	rk763028.exe
4684	rk763028.exe
3884	si275732.exe
3884	si275732.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	84825644.exe
Token: SeDebugPrivilege	4684	rk763028.exe
Token: SeDebugPrivilege	3884	si275732.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4312	2072	d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe	81
PID 2072 wrote to memory of 4312	2072	d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe	81
PID 2072 wrote to memory of 4312	2072	d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe	81
PID 4312 wrote to memory of 4636	4312	un486855.exe	82
PID 4312 wrote to memory of 4636	4312	un486855.exe	82
PID 4312 wrote to memory of 4636	4312	un486855.exe	82
PID 4312 wrote to memory of 4684	4312	un486855.exe	88
PID 4312 wrote to memory of 4684	4312	un486855.exe	88
PID 4312 wrote to memory of 4684	4312	un486855.exe	88
PID 2072 wrote to memory of 3884	2072	d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe	91
PID 2072 wrote to memory of 3884	2072	d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe	91
PID 2072 wrote to memory of 3884	2072	d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe	91

C:\Users\Admin\AppData\Local\Temp\d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe
"C:\Users\Admin\AppData\Local\Temp\d683c221f1609036795b7d0e8feda8e77d6bc9b6fa16133ff02c104f3d947243.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un486855.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un486855.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84825644.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84825644.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1080
      4⤵
      Program crash
      PID:3940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk763028.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk763028.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1332
      4⤵
      Program crash
      PID:4292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si275732.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si275732.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4636 -ip 4636
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4684 -ip 4684
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si275732.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si275732.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un486855.exe

Filesize
593KB

MD5
8efa506d9feb70eb5346c4531f5f6fd6

SHA1
075b6a77640feafdf9dc0ee29ede75ebdd1ba603

SHA256
dc651d8f8960d02f5ded3f49527be9c1b7b930687a8b58eab5dfd917b5c33dc3

SHA512
08a346dafb6549e269b998b8ea6d2027daaf526046cca75caa887bcb1fb8aac0b7a51209626988fb885fe98221b8f058df92e5e0bfea806f5421be0ad3f3743c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un486855.exe

Filesize
593KB

MD5
8efa506d9feb70eb5346c4531f5f6fd6

SHA1
075b6a77640feafdf9dc0ee29ede75ebdd1ba603

SHA256
dc651d8f8960d02f5ded3f49527be9c1b7b930687a8b58eab5dfd917b5c33dc3

SHA512
08a346dafb6549e269b998b8ea6d2027daaf526046cca75caa887bcb1fb8aac0b7a51209626988fb885fe98221b8f058df92e5e0bfea806f5421be0ad3f3743c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84825644.exe

Filesize
377KB

MD5
fec1a423c39fc1b8911c686c937baf5e

SHA1
1a33705d060a86b8c2675d8967b639e7aebe2861

SHA256
8e02c7b94289b3fe715c8531d6953a21553f0dc1f08efe13415e4c12af2ef7a2

SHA512
7f7c3eaece135b7be11351d94c0ad6c1c15a878c62473d8209b0ebe3a1404783b1cf93b734390551a61f03f3f1f8455400309e3ac9bb0cd5f9bbd68ad01ddee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84825644.exe

Filesize
377KB

MD5
fec1a423c39fc1b8911c686c937baf5e

SHA1
1a33705d060a86b8c2675d8967b639e7aebe2861

SHA256
8e02c7b94289b3fe715c8531d6953a21553f0dc1f08efe13415e4c12af2ef7a2

SHA512
7f7c3eaece135b7be11351d94c0ad6c1c15a878c62473d8209b0ebe3a1404783b1cf93b734390551a61f03f3f1f8455400309e3ac9bb0cd5f9bbd68ad01ddee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk763028.exe

Filesize
459KB

MD5
f6bbb55f6dc10d9c67190b1e36b097ce

SHA1
a084d92dc2def4865d7fc4e1abfa329fb027fcb1

SHA256
f1a9b93c9dfcc9959ef75854b142862bc25d111a441cfd480dc0e137e64a23ce

SHA512
314bae56fbdbf4806eb87f6f012add7ee053bb0f655c7d7e5ff7f17ebcb6f375608b03978ab5653729151eb43862c14ed7d4cbfb703e03fda32f6e197cddf81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk763028.exe

Filesize
459KB

MD5
f6bbb55f6dc10d9c67190b1e36b097ce

SHA1
a084d92dc2def4865d7fc4e1abfa329fb027fcb1

SHA256
f1a9b93c9dfcc9959ef75854b142862bc25d111a441cfd480dc0e137e64a23ce

SHA512
314bae56fbdbf4806eb87f6f012add7ee053bb0f655c7d7e5ff7f17ebcb6f375608b03978ab5653729151eb43862c14ed7d4cbfb703e03fda32f6e197cddf81d

Download Submit
memory/3884-1005-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/3884-1004-0x00000000007B0000-0x00000000007D8000-memory.dmp

Filesize
160KB

Download
memory/4636-159-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-173-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-151-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-153-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-155-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-157-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-149-0x0000000004EB0000-0x0000000005454000-memory.dmp

Filesize
5.6MB

Download
memory/4636-161-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-163-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-165-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-167-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-169-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-171-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-150-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-175-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-177-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4636-178-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4636-179-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4636-180-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4636-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4636-182-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4636-183-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4636-184-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4636-186-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4636-148-0x0000000000930000-0x000000000095D000-memory.dmp

Filesize
180KB

Download
memory/4684-192-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-191-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-196-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-198-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-200-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-202-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-204-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-206-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-208-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-210-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-212-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-214-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-216-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-218-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-220-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-222-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-224-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-495-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/4684-499-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/4684-501-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/4684-497-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/4684-987-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/4684-988-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4684-989-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4684-990-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/4684-991-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4684-992-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4684-993-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/4684-994-0x0000000008C30000-0x0000000008CA6000-memory.dmp

Filesize
472KB

Download
memory/4684-995-0x0000000008CE0000-0x0000000008CFE000-memory.dmp

Filesize
120KB

Download
memory/4684-194-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4684-996-0x0000000008E00000-0x0000000008FC2000-memory.dmp

Filesize
1.8MB

Download
memory/4684-997-0x0000000008FD0000-0x00000000094FC000-memory.dmp

Filesize
5.2MB

Download
memory/4684-998-0x00000000024C0000-0x0000000002510000-memory.dmp

Filesize
320KB

Download