eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6

Analysis

max time kernel
81s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe
Size

745KB
MD5

ef816cda95d546705490371a50846722
SHA1

ab6110e2442d9fe4653e8f5ce8fb46e1b8fa3015
SHA256

eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6
SHA512

ad43d15c0ba216d48774ec836b203acddb21dfd1cfdf577ce7a7d695c765dce205967721bf64c4ecaed9095aa84a2945d6aeeca6169e6143040abca35798fd20
SSDEEP

12288:Zy90VAhnomN3knD2tDuuWSCb8VWAnXANlVOws7HDCJ9bJBtKX65kclnpQZNFaQ:ZymAhnoKknDclWSCb8VWAiV/s7CRKXY2

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	27834231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	27834231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	27834231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	27834231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	27834231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	27834231.exe

Executes dropped EXE 4 IoCs

pid	Process
544	un110533.exe
1420	27834231.exe
2276	rk097491.exe
3964	si437255.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	27834231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	27834231.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un110533.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un110533.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
216	1420	WerFault.exe	86
3528	2276	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1420	27834231.exe
1420	27834231.exe
2276	rk097491.exe
2276	rk097491.exe
3964	si437255.exe
3964	si437255.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	27834231.exe
Token: SeDebugPrivilege	2276	rk097491.exe
Token: SeDebugPrivilege	3964	si437255.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 544	4868	eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe	85
PID 4868 wrote to memory of 544	4868	eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe	85
PID 4868 wrote to memory of 544	4868	eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe	85
PID 544 wrote to memory of 1420	544	un110533.exe	86
PID 544 wrote to memory of 1420	544	un110533.exe	86
PID 544 wrote to memory of 1420	544	un110533.exe	86
PID 544 wrote to memory of 2276	544	un110533.exe	92
PID 544 wrote to memory of 2276	544	un110533.exe	92
PID 544 wrote to memory of 2276	544	un110533.exe	92
PID 4868 wrote to memory of 3964	4868	eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe	95
PID 4868 wrote to memory of 3964	4868	eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe	95
PID 4868 wrote to memory of 3964	4868	eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe	95

C:\Users\Admin\AppData\Local\Temp\eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe
"C:\Users\Admin\AppData\Local\Temp\eb09b31672be263f3412dd0b6b5a772de3e4855e504ed25e52129bc520c7a8e6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110533.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110533.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\27834231.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\27834231.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1084
      4⤵
      Program crash
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk097491.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk097491.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1884
      4⤵
      Program crash
      PID:3528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si437255.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si437255.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1420 -ip 1420
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2276 -ip 2276
1⤵
PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si437255.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si437255.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110533.exe

Filesize
591KB

MD5
8bf078581a0c3f98d813822ceae034a1

SHA1
be41b216d0793413bb041fac8ccd01bd6920aa4f

SHA256
14fc0962c623081b39687a0b2daec67056fd3be3eba1138c3804b5179e31af20

SHA512
aa3996e9528904789f440653aa02c327b319c526bca90495bd6612d9e2033cb4102fe6126766bcaf107861811b2f494e2457ab7dd523b10ee5be290dc3e6e1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110533.exe

Filesize
591KB

MD5
8bf078581a0c3f98d813822ceae034a1

SHA1
be41b216d0793413bb041fac8ccd01bd6920aa4f

SHA256
14fc0962c623081b39687a0b2daec67056fd3be3eba1138c3804b5179e31af20

SHA512
aa3996e9528904789f440653aa02c327b319c526bca90495bd6612d9e2033cb4102fe6126766bcaf107861811b2f494e2457ab7dd523b10ee5be290dc3e6e1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\27834231.exe

Filesize
376KB

MD5
ccc8ca17d43fccb5d1a0a1b393700d9e

SHA1
29e13fc35b71fe899263665f99c312340d1a975b

SHA256
0dd60d6b8ad32daf7fe51daf7b08fbb6eeeb5f44a78eed54349f6456bd03b92a

SHA512
5dc6610af6c4fb6a5fb73a42f83403eb5e7b16b6c6e7c9d19973acf88444479c5d9a2894dbf8e5c7e79badad46949837260eb1bce3de0be3aa758811fa9fdbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\27834231.exe

Filesize
376KB

MD5
ccc8ca17d43fccb5d1a0a1b393700d9e

SHA1
29e13fc35b71fe899263665f99c312340d1a975b

SHA256
0dd60d6b8ad32daf7fe51daf7b08fbb6eeeb5f44a78eed54349f6456bd03b92a

SHA512
5dc6610af6c4fb6a5fb73a42f83403eb5e7b16b6c6e7c9d19973acf88444479c5d9a2894dbf8e5c7e79badad46949837260eb1bce3de0be3aa758811fa9fdbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk097491.exe

Filesize
459KB

MD5
02d38b000c65e6eea48e3890649c6867

SHA1
76b5253d3ed6054d9310df42ac2c07aa553ebb64

SHA256
a7ff8c8f62dd0ef5fb33f5f71a7fb4e3bd12abe1ca8435ffa869628f64a68875

SHA512
33845c2300665f655bd17e0fa1c1cd2500cc359aa71e021c67e3fb00af5cea4a33002baef193c116c0cef932b4bdc164383a6d0719dbdff5f429efcb9a5ad119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk097491.exe

Filesize
459KB

MD5
02d38b000c65e6eea48e3890649c6867

SHA1
76b5253d3ed6054d9310df42ac2c07aa553ebb64

SHA256
a7ff8c8f62dd0ef5fb33f5f71a7fb4e3bd12abe1ca8435ffa869628f64a68875

SHA512
33845c2300665f655bd17e0fa1c1cd2500cc359aa71e021c67e3fb00af5cea4a33002baef193c116c0cef932b4bdc164383a6d0719dbdff5f429efcb9a5ad119

Download Submit
memory/1420-148-0x0000000004EB0000-0x0000000005454000-memory.dmp

Filesize
5.6MB

Download
memory/1420-149-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/1420-151-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1420-150-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1420-152-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1420-153-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-154-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-156-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-158-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-160-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-162-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-164-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-166-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-168-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-170-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-172-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-176-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-174-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-178-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-180-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1420-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1420-182-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1420-183-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1420-185-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2276-190-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-191-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-193-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-195-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-197-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-199-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-201-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-203-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-205-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-207-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-209-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-211-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-213-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-215-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-217-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-219-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-221-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-223-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2276-590-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/2276-591-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2276-593-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2276-985-0x0000000007940000-0x0000000007F58000-memory.dmp

Filesize
6.1MB

Download
memory/2276-986-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2276-987-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/2276-988-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/2276-989-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2276-990-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/2276-991-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/2276-992-0x0000000008C40000-0x0000000008CB6000-memory.dmp

Filesize
472KB

Download
memory/2276-993-0x0000000008CE0000-0x0000000008CFE000-memory.dmp

Filesize
120KB

Download
memory/2276-994-0x0000000008E00000-0x0000000008FC2000-memory.dmp

Filesize
1.8MB

Download
memory/2276-995-0x0000000008FD0000-0x00000000094FC000-memory.dmp

Filesize
5.2MB

Download
memory/2276-996-0x0000000004860000-0x00000000048B0000-memory.dmp

Filesize
320KB

Download
memory/3964-1003-0x0000000000BE0000-0x0000000000C08000-memory.dmp

Filesize
160KB

Download
memory/3964-1004-0x0000000007930000-0x0000000007940000-memory.dmp

Filesize
64KB

Download