eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb

Analysis

max time kernel
110s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe
Size

746KB
MD5

5dcd4fec70ec67bcd968ddce3a0b2dfd
SHA1

6820873b3dbe678006c0bf772f98be9ce7f46a9f
SHA256

eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb
SHA512

ba79ebd3cd4fa19a95033571f63a6a591cba8e8d65015971497d0086a464d18f03a6f99f7cd8f0f0cf8f70d9d67d8d9cf14f3d8689f0e01897a636d3bd954863
SSDEEP

12288:gy904l1AdfPq/Gi6K5eMVMsTYfe2ZSuq9YQBtUXp/kNNoc:gyzl1AdfPHi3cM6sYm2ZpwUXQN9

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	43773145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	43773145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	43773145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	43773145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	43773145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	43773145.exe

Executes dropped EXE 4 IoCs

pid	Process
996	un346151.exe
4468	43773145.exe
4592	rk285456.exe
4752	si762289.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	43773145.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	43773145.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un346151.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un346151.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3948	4468	WerFault.exe	85
4952	4592	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4468	43773145.exe
4468	43773145.exe
4592	rk285456.exe
4592	rk285456.exe
4752	si762289.exe
4752	si762289.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	43773145.exe
Token: SeDebugPrivilege	4592	rk285456.exe
Token: SeDebugPrivilege	4752	si762289.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 996	1476	eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe	84
PID 1476 wrote to memory of 996	1476	eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe	84
PID 1476 wrote to memory of 996	1476	eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe	84
PID 996 wrote to memory of 4468	996	un346151.exe	85
PID 996 wrote to memory of 4468	996	un346151.exe	85
PID 996 wrote to memory of 4468	996	un346151.exe	85
PID 996 wrote to memory of 4592	996	un346151.exe	95
PID 996 wrote to memory of 4592	996	un346151.exe	95
PID 996 wrote to memory of 4592	996	un346151.exe	95
PID 1476 wrote to memory of 4752	1476	eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe	98
PID 1476 wrote to memory of 4752	1476	eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe	98
PID 1476 wrote to memory of 4752	1476	eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe	98

C:\Users\Admin\AppData\Local\Temp\eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe
"C:\Users\Admin\AppData\Local\Temp\eb84cd44035fec15ed3661fdf5b5bd25c82c85f9bbed2ce122e24bb19f7c82cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un346151.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un346151.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43773145.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43773145.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1084
      4⤵
      Program crash
      PID:3948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk285456.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk285456.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1920
      4⤵
      Program crash
      PID:4952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si762289.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si762289.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4468 -ip 4468
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4592 -ip 4592
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si762289.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si762289.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un346151.exe

Filesize
592KB

MD5
a5aa00e733f45c079fa7e3e71ad719a3

SHA1
a1c1b76fb95d717049fd080dd02a156e49044309

SHA256
21f2a65b8248d0f239b63d65165603ca8460d5dec178c81305133cfbe1a33555

SHA512
5d576174dee938db45cdd4733669f36e564324f06d929a6abc45e4db4d3db21a869cdd071e04e62584af507fb093955caeacdd18c696f6a24f4ffb4ab0daff14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un346151.exe

Filesize
592KB

MD5
a5aa00e733f45c079fa7e3e71ad719a3

SHA1
a1c1b76fb95d717049fd080dd02a156e49044309

SHA256
21f2a65b8248d0f239b63d65165603ca8460d5dec178c81305133cfbe1a33555

SHA512
5d576174dee938db45cdd4733669f36e564324f06d929a6abc45e4db4d3db21a869cdd071e04e62584af507fb093955caeacdd18c696f6a24f4ffb4ab0daff14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43773145.exe

Filesize
376KB

MD5
e1bfc9bc2cf1a2fd601d855cd36f48c9

SHA1
affe92ddb0d8c7f7482b19a1bc63fbdaf88004cc

SHA256
2188644e59806dcc732b38858ed644de8e3b1d809d3eeea6997971174152bd02

SHA512
aa3e5ccd940fa1df6e5a1d67571ee27a3388256b516a80aa42730c0c5ec338b3efccc38d8708c66d6313606866182ca97b0e71d65cc9bde321b439568944f44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43773145.exe

Filesize
376KB

MD5
e1bfc9bc2cf1a2fd601d855cd36f48c9

SHA1
affe92ddb0d8c7f7482b19a1bc63fbdaf88004cc

SHA256
2188644e59806dcc732b38858ed644de8e3b1d809d3eeea6997971174152bd02

SHA512
aa3e5ccd940fa1df6e5a1d67571ee27a3388256b516a80aa42730c0c5ec338b3efccc38d8708c66d6313606866182ca97b0e71d65cc9bde321b439568944f44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk285456.exe

Filesize
459KB

MD5
e45573cfb61586966b422608391459fe

SHA1
9067c74bcc5497a3a27b322cc6243869ca01326c

SHA256
ddf60742dfad211acaa2705c78684f14e14d953c04a4a813c975a8dd36aa379b

SHA512
8074ac093f9b74b2712fcb01891048123038c81753af5edc0bcdd1edb4220d3e82ccfeeb27ebb21e81e5148ad271d4e46bd6652c8176e3365d9633715c301008

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk285456.exe

Filesize
459KB

MD5
e45573cfb61586966b422608391459fe

SHA1
9067c74bcc5497a3a27b322cc6243869ca01326c

SHA256
ddf60742dfad211acaa2705c78684f14e14d953c04a4a813c975a8dd36aa379b

SHA512
8074ac093f9b74b2712fcb01891048123038c81753af5edc0bcdd1edb4220d3e82ccfeeb27ebb21e81e5148ad271d4e46bd6652c8176e3365d9633715c301008

Download Submit
memory/4468-148-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/4468-149-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/4468-150-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4468-151-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4468-152-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4468-153-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-154-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-156-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-158-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-160-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-164-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-162-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-166-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-168-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-170-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-172-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-174-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-176-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-178-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-180-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4468-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4468-182-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4468-183-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4468-185-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4592-191-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-190-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-193-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-195-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-196-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/4592-198-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-200-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4592-199-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4592-202-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-205-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-203-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4592-207-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-209-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-211-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-213-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-215-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-217-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-219-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-221-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-223-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-225-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-227-0x00000000053C0000-0x00000000053F5000-memory.dmp

Filesize
212KB

Download
memory/4592-986-0x00000000078C0000-0x0000000007ED8000-memory.dmp

Filesize
6.1MB

Download
memory/4592-987-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4592-988-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4592-989-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4592-990-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4592-991-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4592-992-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/4592-993-0x0000000008B30000-0x0000000008B80000-memory.dmp

Filesize
320KB

Download
memory/4592-994-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/4592-995-0x0000000008D60000-0x0000000008F22000-memory.dmp

Filesize
1.8MB

Download
memory/4592-996-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/4592-997-0x0000000009580000-0x000000000959E000-memory.dmp

Filesize
120KB

Download
memory/4752-1003-0x0000000000C70000-0x0000000000C98000-memory.dmp

Filesize
160KB

Download
memory/4752-1004-0x0000000007A50000-0x0000000007A60000-memory.dmp

Filesize
64KB

Download