3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689

Analysis

max time kernel
62s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe
Size

746KB
MD5

e5974f2bd53dada43315897b7c694400
SHA1

995bfd4cd02a73bda54a534cb86ac08fb5f3a038
SHA256

3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689
SHA512

4831760f789a12c18f257d4b548f2748a68fbc2b04b07d1511d22bcede80736f515850f329ec5bffefdc87068d9e05f0fb894203d3a3e60f68ecdeb3dcb612c4
SSDEEP

12288:uy90yejPqj4YKMQSZEZZKDhvapvYEu4B+k6BVYm9yIBtQXROsVgJqR0N:uyWSjNKMAZ0GYbloYQXNVoqm

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	84593723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	84593723.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	84593723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	84593723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	84593723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	84593723.exe

Executes dropped EXE 4 IoCs

pid	Process
1400	un573390.exe
2176	84593723.exe
3760	rk031604.exe
4816	si701920.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	84593723.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	84593723.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un573390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un573390.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3904	2176	WerFault.exe	83
2040	3760	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2176	84593723.exe
2176	84593723.exe
3760	rk031604.exe
3760	rk031604.exe
4816	si701920.exe
4816	si701920.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	84593723.exe
Token: SeDebugPrivilege	3760	rk031604.exe
Token: SeDebugPrivilege	4816	si701920.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1400	832	3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe	82
PID 832 wrote to memory of 1400	832	3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe	82
PID 832 wrote to memory of 1400	832	3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe	82
PID 1400 wrote to memory of 2176	1400	un573390.exe	83
PID 1400 wrote to memory of 2176	1400	un573390.exe	83
PID 1400 wrote to memory of 2176	1400	un573390.exe	83
PID 1400 wrote to memory of 3760	1400	un573390.exe	89
PID 1400 wrote to memory of 3760	1400	un573390.exe	89
PID 1400 wrote to memory of 3760	1400	un573390.exe	89
PID 832 wrote to memory of 4816	832	3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe	92
PID 832 wrote to memory of 4816	832	3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe	92
PID 832 wrote to memory of 4816	832	3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe	92

C:\Users\Admin\AppData\Local\Temp\3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe
"C:\Users\Admin\AppData\Local\Temp\3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un573390.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un573390.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84593723.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84593723.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1084
      4⤵
      Program crash
      PID:3904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk031604.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk031604.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 1320
      4⤵
      Program crash
      PID:2040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si701920.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si701920.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2176 -ip 2176
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3760 -ip 3760
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si701920.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si701920.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un573390.exe

Filesize
592KB

MD5
4822efbbdbe620c0080ac4abe837f2a4

SHA1
df5e3766446ed0ed6a6cc96198b1d32060ddc44b

SHA256
23a11074e33228d190515e85ca0e6c9c77b8725511441eb25870f20a903799ee

SHA512
0bab4fc75bc9ae1b7877bb8952c6bb210193e10dfa51b50b93827c0a99d84ac0493d43d2274ee88c36f61a37f9ca669c28d4c456599e023deca1f3c4fafb4245

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un573390.exe

Filesize
592KB

MD5
4822efbbdbe620c0080ac4abe837f2a4

SHA1
df5e3766446ed0ed6a6cc96198b1d32060ddc44b

SHA256
23a11074e33228d190515e85ca0e6c9c77b8725511441eb25870f20a903799ee

SHA512
0bab4fc75bc9ae1b7877bb8952c6bb210193e10dfa51b50b93827c0a99d84ac0493d43d2274ee88c36f61a37f9ca669c28d4c456599e023deca1f3c4fafb4245

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84593723.exe

Filesize
376KB

MD5
ddd6cf90f594271b84767b4080abf59e

SHA1
640f1b775792a2c9efe270fbfbc2151247bb7e0b

SHA256
04c3d89b6dfcb2e0016a2ab92e5e659ae2054de05eb2a2355545dbe4371a3094

SHA512
36807c075253f9b048a6e52b605e774e84ef323b4c310c83378ad56e785516d234729c534b9315aff01148b76c31321eb6503d845769d05bdff12e6c8c8eecab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84593723.exe

Filesize
376KB

MD5
ddd6cf90f594271b84767b4080abf59e

SHA1
640f1b775792a2c9efe270fbfbc2151247bb7e0b

SHA256
04c3d89b6dfcb2e0016a2ab92e5e659ae2054de05eb2a2355545dbe4371a3094

SHA512
36807c075253f9b048a6e52b605e774e84ef323b4c310c83378ad56e785516d234729c534b9315aff01148b76c31321eb6503d845769d05bdff12e6c8c8eecab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk031604.exe

Filesize
459KB

MD5
ddb6f480aa4db96f43102b7d64ac308d

SHA1
739cfbadc2541fb1e6771969762bafb528ea4134

SHA256
fdfffe42b5db4128da66c8be3a06b1fdc2a650a50863879b945af48469b53bbc

SHA512
b7b7bc0aa31368dea9ccd6e9b4f2ebf6dd9e8fc25bb2aa3ecad436dffd3d0c9c142f6558992fe3afedaeb672e084241be458796c1e7d07b4675b91448d8d2f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk031604.exe

Filesize
459KB

MD5
ddb6f480aa4db96f43102b7d64ac308d

SHA1
739cfbadc2541fb1e6771969762bafb528ea4134

SHA256
fdfffe42b5db4128da66c8be3a06b1fdc2a650a50863879b945af48469b53bbc

SHA512
b7b7bc0aa31368dea9ccd6e9b4f2ebf6dd9e8fc25bb2aa3ecad436dffd3d0c9c142f6558992fe3afedaeb672e084241be458796c1e7d07b4675b91448d8d2f0a

Download Submit
memory/2176-148-0x0000000004FE0000-0x0000000005584000-memory.dmp

Filesize
5.6MB

Download
memory/2176-149-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/2176-150-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/2176-151-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/2176-152-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-153-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-155-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-157-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-159-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-161-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-163-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-165-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-167-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-169-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-171-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-173-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-175-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-177-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-179-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2176-180-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2176-181-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/2176-182-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/2176-183-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/2176-185-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3760-190-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-191-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-193-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-195-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-197-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-199-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-201-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-203-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-205-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-207-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-209-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-211-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-213-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-215-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-218-0x0000000000A00000-0x0000000000A46000-memory.dmp

Filesize
280KB

Download
memory/3760-217-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-221-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/3760-222-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-220-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/3760-225-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-223-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/3760-227-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/3760-986-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/3760-987-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3760-988-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/3760-989-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/3760-990-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/3760-991-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/3760-992-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/3760-993-0x0000000008B40000-0x0000000008BB6000-memory.dmp

Filesize
472KB

Download
memory/3760-994-0x0000000008C20000-0x0000000008DE2000-memory.dmp

Filesize
1.8MB

Download
memory/3760-995-0x0000000008DF0000-0x000000000931C000-memory.dmp

Filesize
5.2MB

Download
memory/3760-996-0x0000000009430000-0x000000000944E000-memory.dmp

Filesize
120KB

Download
memory/3760-997-0x00000000046E0000-0x0000000004730000-memory.dmp

Filesize
320KB

Download
memory/4816-1003-0x0000000000710000-0x0000000000738000-memory.dmp

Filesize
160KB

Download
memory/4816-1004-0x00000000077A0000-0x00000000077B0000-memory.dmp

Filesize
64KB

Download