50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f

Analysis

max time kernel
51s
max time network
74s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/04/2023, 08:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe
Size

701KB
MD5

6e0a6e835f80fab23a473cddc94da91d
SHA1

677e2f05fdb36c66b1f099710691a0628e22c7e1
SHA256

50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f
SHA512

7b80625cf093717960782b32d617c987dc0f070654253de477cab5b5c1927a49c94bae230ad2f85257feee62feb4853ff42509d69461a73365b0f8efef0a459a
SSDEEP

12288:4y90NLNjhbui1qwt5SAfwdHn20cq2nK87R7AGZK/h1wR/BS5NI7jWD/:4yWVbhCAkHn2dlK87DI1wR/BS03W

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	77368012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	77368012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	77368012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	77368012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	77368012.exe

Executes dropped EXE 4 IoCs

pid	Process
5048	un145018.exe
3560	77368012.exe
3532	rk323951.exe
3692	si561408.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	77368012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	77368012.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un145018.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un145018.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3560	77368012.exe
3560	77368012.exe
3532	rk323951.exe
3532	rk323951.exe
3692	si561408.exe
3692	si561408.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3560	77368012.exe
Token: SeDebugPrivilege	3532	rk323951.exe
Token: SeDebugPrivilege	3692	si561408.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 5048	4452	50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe	66
PID 4452 wrote to memory of 5048	4452	50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe	66
PID 4452 wrote to memory of 5048	4452	50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe	66
PID 5048 wrote to memory of 3560	5048	un145018.exe	67
PID 5048 wrote to memory of 3560	5048	un145018.exe	67
PID 5048 wrote to memory of 3560	5048	un145018.exe	67
PID 5048 wrote to memory of 3532	5048	un145018.exe	68
PID 5048 wrote to memory of 3532	5048	un145018.exe	68
PID 5048 wrote to memory of 3532	5048	un145018.exe	68
PID 4452 wrote to memory of 3692	4452	50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe	70
PID 4452 wrote to memory of 3692	4452	50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe	70
PID 4452 wrote to memory of 3692	4452	50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe	70

C:\Users\Admin\AppData\Local\Temp\50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe
"C:\Users\Admin\AppData\Local\Temp\50eb86c5029c4d5eaa59a7d3c0000e2decaff81538026d11084276600a074c9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un145018.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un145018.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77368012.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77368012.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk323951.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk323951.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si561408.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si561408.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si561408.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si561408.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un145018.exe

Filesize
547KB

MD5
ae9c96930e4c4d571060b7ca5e774245

SHA1
4c8a299f0aaf2a53fdd3341667f4c4c0e91af9b8

SHA256
d21dc2988f6f546c9ab572041f5a5d008d385c61d454fd2cfaec50cc3b044bff

SHA512
7a2722341877905b8ce77ba6a56b53a8ade7f1ce18cf7c2d97d9a473c9db8a9bbe1cd0da29448cb2c2edde7236d330b8905a588846cd731cbce410aee192c7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un145018.exe

Filesize
547KB

MD5
ae9c96930e4c4d571060b7ca5e774245

SHA1
4c8a299f0aaf2a53fdd3341667f4c4c0e91af9b8

SHA256
d21dc2988f6f546c9ab572041f5a5d008d385c61d454fd2cfaec50cc3b044bff

SHA512
7a2722341877905b8ce77ba6a56b53a8ade7f1ce18cf7c2d97d9a473c9db8a9bbe1cd0da29448cb2c2edde7236d330b8905a588846cd731cbce410aee192c7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77368012.exe

Filesize
269KB

MD5
c44f20a45c59f6cc14109ee14b1db7ac

SHA1
a0b2e2bcb8487cdc9c0bcbc51c8456dea931cf8d

SHA256
afe921285bfc5d38bd7c0b77168bce08022e26b8a0811997f99f80da4a744c27

SHA512
27806ec92f2cd236c0adffad415c337465f1352270ef5e930ea9d6b59ada19805d4fc09445d1ba9481fa6bf54e9bdcc29f32618284294815b9cf1f006cd44d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77368012.exe

Filesize
269KB

MD5
c44f20a45c59f6cc14109ee14b1db7ac

SHA1
a0b2e2bcb8487cdc9c0bcbc51c8456dea931cf8d

SHA256
afe921285bfc5d38bd7c0b77168bce08022e26b8a0811997f99f80da4a744c27

SHA512
27806ec92f2cd236c0adffad415c337465f1352270ef5e930ea9d6b59ada19805d4fc09445d1ba9481fa6bf54e9bdcc29f32618284294815b9cf1f006cd44d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk323951.exe

Filesize
353KB

MD5
c8edbdc486f29ba420d1cf4ee0255980

SHA1
18b175cca2296ac8f86c4dca8e1d2baa574a73e1

SHA256
1b9618c10ded402f8efc7bed6441dad8c5ab3f43206a603df979379718cd690f

SHA512
37fc969a8a01e85b035c1610a5ac8c854bf3b47656e140153dfe5e13b04216446a3ef6ac042cae30da650e0ce2b8d318f6f078b5916ac2b5a33cd6e704a07ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk323951.exe

Filesize
353KB

MD5
c8edbdc486f29ba420d1cf4ee0255980

SHA1
18b175cca2296ac8f86c4dca8e1d2baa574a73e1

SHA256
1b9618c10ded402f8efc7bed6441dad8c5ab3f43206a603df979379718cd690f

SHA512
37fc969a8a01e85b035c1610a5ac8c854bf3b47656e140153dfe5e13b04216446a3ef6ac042cae30da650e0ce2b8d318f6f078b5916ac2b5a33cd6e704a07ba2

Download Submit
memory/3532-211-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-978-0x000000000A3C0000-0x000000000A9C6000-memory.dmp

Filesize
6.0MB

Download
memory/3532-186-0x0000000007520000-0x0000000007530000-memory.dmp

Filesize
64KB

Download
memory/3532-990-0x0000000004B90000-0x0000000004BE0000-memory.dmp

Filesize
320KB

Download
memory/3532-989-0x000000000B220000-0x000000000B74C000-memory.dmp

Filesize
5.2MB

Download
memory/3532-987-0x000000000B050000-0x000000000B212000-memory.dmp

Filesize
1.8MB

Download
memory/3532-986-0x000000000AF80000-0x000000000AF9E000-memory.dmp

Filesize
120KB

Download
memory/3532-985-0x000000000AEE0000-0x000000000AF56000-memory.dmp

Filesize
472KB

Download
memory/3532-984-0x000000000AD40000-0x000000000ADD2000-memory.dmp

Filesize
584KB

Download
memory/3532-983-0x000000000A050000-0x000000000A0B6000-memory.dmp

Filesize
408KB

Download
memory/3532-982-0x0000000007430000-0x000000000747B000-memory.dmp

Filesize
300KB

Download
memory/3532-981-0x0000000004E70000-0x0000000004EAE000-memory.dmp

Filesize
248KB

Download
memory/3532-980-0x0000000009DB0000-0x0000000009EBA000-memory.dmp

Filesize
1.0MB

Download
memory/3532-979-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/3532-219-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-217-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-215-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-213-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-209-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-207-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-189-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-203-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-201-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-199-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-197-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-180-0x0000000004860000-0x000000000489C000-memory.dmp

Filesize
240KB

Download
memory/3532-182-0x0000000004A00000-0x0000000004A3A000-memory.dmp

Filesize
232KB

Download
memory/3532-183-0x0000000007520000-0x0000000007530000-memory.dmp

Filesize
64KB

Download
memory/3532-181-0x0000000002BC0000-0x0000000002C06000-memory.dmp

Filesize
280KB

Download
memory/3532-185-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-184-0x0000000007520000-0x0000000007530000-memory.dmp

Filesize
64KB

Download
memory/3532-187-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-195-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-191-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-205-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3532-193-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/3560-159-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-149-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-139-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/3560-175-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/3560-174-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/3560-172-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/3560-171-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/3560-170-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/3560-169-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-167-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-137-0x0000000007260000-0x000000000775E000-memory.dmp

Filesize
5.0MB

Download
memory/3560-165-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-163-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-141-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/3560-138-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/3560-140-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/3560-145-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-161-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-153-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-151-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-155-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-147-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-157-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-143-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-142-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3560-136-0x0000000003060000-0x000000000307A000-memory.dmp

Filesize
104KB

Download
memory/3560-135-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3692-996-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/3692-997-0x0000000006ED0000-0x0000000006F1B000-memory.dmp

Filesize
300KB

Download
memory/3692-998-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download