e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e

Analysis

max time kernel
54s
max time network
70s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/04/2023, 08:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe
Size

699KB
MD5

26b1ec85d1d93aa58a79ea545130d949
SHA1

d378387d414a27a9f6e220bf202761d7ed22170d
SHA256

e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e
SHA512

4e7cfccc652e4445cf6705205c2056c33dbf7eee5a043f61d8c491eb3783e3c23bc03cfd6d67aab0c51440f97166e8bc9317b107415e2ea7fcd4c4f5f3bd5289
SSDEEP

12288:py90htgNBRtIoj18GVWZ+kF/Bddn8yKvGbo25sjRSm2IzNDae8:pyp5tY9+kdn8yJbsjRSm2MNe

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	76890483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	76890483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	76890483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	76890483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	76890483.exe

Executes dropped EXE 4 IoCs

pid	Process
3952	un347594.exe
3860	76890483.exe
2168	rk925331.exe
5080	si377547.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	76890483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	76890483.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un347594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un347594.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3860	76890483.exe
3860	76890483.exe
2168	rk925331.exe
2168	rk925331.exe
5080	si377547.exe
5080	si377547.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	76890483.exe
Token: SeDebugPrivilege	2168	rk925331.exe
Token: SeDebugPrivilege	5080	si377547.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3952	2208	e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe	66
PID 2208 wrote to memory of 3952	2208	e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe	66
PID 2208 wrote to memory of 3952	2208	e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe	66
PID 3952 wrote to memory of 3860	3952	un347594.exe	67
PID 3952 wrote to memory of 3860	3952	un347594.exe	67
PID 3952 wrote to memory of 3860	3952	un347594.exe	67
PID 3952 wrote to memory of 2168	3952	un347594.exe	68
PID 3952 wrote to memory of 2168	3952	un347594.exe	68
PID 3952 wrote to memory of 2168	3952	un347594.exe	68
PID 2208 wrote to memory of 5080	2208	e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe	70
PID 2208 wrote to memory of 5080	2208	e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe	70
PID 2208 wrote to memory of 5080	2208	e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe	70

C:\Users\Admin\AppData\Local\Temp\e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe
"C:\Users\Admin\AppData\Local\Temp\e0b3fa178b93e8e9ce74b0b0eb94e6aedeb803ec72a2f1fe26f9979fa4a46a5e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un347594.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un347594.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76890483.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76890483.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk925331.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk925331.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si377547.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si377547.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si377547.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si377547.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un347594.exe

Filesize
545KB

MD5
e6be8771e324d5aed46883d23e21201a

SHA1
c7ebfb00817fa3c5349249b3ed5248c07643fcc5

SHA256
fe41ac952cda3d2bc068d4a790e31105c725cad233d941ddce2206d7881e4350

SHA512
0219109915febb24839210d2f830aa19d186740eb4ad069a91ab6c26bbc3f972466c961907371c56a04afe8e67d1452c92c1c14a7f326fafa9d99e3beafa6985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un347594.exe

Filesize
545KB

MD5
e6be8771e324d5aed46883d23e21201a

SHA1
c7ebfb00817fa3c5349249b3ed5248c07643fcc5

SHA256
fe41ac952cda3d2bc068d4a790e31105c725cad233d941ddce2206d7881e4350

SHA512
0219109915febb24839210d2f830aa19d186740eb4ad069a91ab6c26bbc3f972466c961907371c56a04afe8e67d1452c92c1c14a7f326fafa9d99e3beafa6985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76890483.exe

Filesize
269KB

MD5
5c73f551ec6665d8773ff63d1465e4ae

SHA1
7990ab98165663deffafe0e31d57eb039b0cb463

SHA256
6d4cacf2b39b3cb2117e0b0fd39f7f6a6904f5e32452ee68f743da97485eaaec

SHA512
cb340068349ccb4bc814a746e838eeb62b6fd2ac154301e63c84a09f8d1586be052e6e0b70ae5a0c51f74d330beae467312da8b2d95554c8b37875842521c46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76890483.exe

Filesize
269KB

MD5
5c73f551ec6665d8773ff63d1465e4ae

SHA1
7990ab98165663deffafe0e31d57eb039b0cb463

SHA256
6d4cacf2b39b3cb2117e0b0fd39f7f6a6904f5e32452ee68f743da97485eaaec

SHA512
cb340068349ccb4bc814a746e838eeb62b6fd2ac154301e63c84a09f8d1586be052e6e0b70ae5a0c51f74d330beae467312da8b2d95554c8b37875842521c46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk925331.exe

Filesize
353KB

MD5
988edc3d13083122b79409a8742cc07b

SHA1
f88e2f65339a078805dc805e139f1fc69713a3c7

SHA256
36b670141e800c51550741b58f871ee42bff05bcb4db218ffb7bf454a7f04b55

SHA512
4108939499a68855ddb5e23988030831b790a081c58c539bb518b1bbf5e7a8a4fb23f70e4ca7946e8763aa4eee744fe45037bd15eea20f9c3946e9a434347c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk925331.exe

Filesize
353KB

MD5
988edc3d13083122b79409a8742cc07b

SHA1
f88e2f65339a078805dc805e139f1fc69713a3c7

SHA256
36b670141e800c51550741b58f871ee42bff05bcb4db218ffb7bf454a7f04b55

SHA512
4108939499a68855ddb5e23988030831b790a081c58c539bb518b1bbf5e7a8a4fb23f70e4ca7946e8763aa4eee744fe45037bd15eea20f9c3946e9a434347c4a

Download Submit
memory/2168-337-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2168-333-0x0000000002DC0000-0x0000000002E06000-memory.dmp

Filesize
280KB

Download
memory/2168-991-0x0000000004720000-0x0000000004770000-memory.dmp

Filesize
320KB

Download
memory/2168-989-0x000000000B7D0000-0x000000000B7EE000-memory.dmp

Filesize
120KB

Download
memory/2168-988-0x000000000B180000-0x000000000B6AC000-memory.dmp

Filesize
5.2MB

Download
memory/2168-987-0x000000000AFA0000-0x000000000B162000-memory.dmp

Filesize
1.8MB

Download
memory/2168-986-0x000000000AEE0000-0x000000000AF56000-memory.dmp

Filesize
472KB

Download
memory/2168-985-0x000000000AD40000-0x000000000ADD2000-memory.dmp

Filesize
584KB

Download
memory/2168-984-0x000000000A660000-0x000000000A6C6000-memory.dmp

Filesize
408KB

Download
memory/2168-983-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2168-982-0x000000000A3D0000-0x000000000A41B000-memory.dmp

Filesize
300KB

Download
memory/2168-981-0x000000000A350000-0x000000000A38E000-memory.dmp

Filesize
248KB

Download
memory/2168-980-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/2168-979-0x000000000A210000-0x000000000A222000-memory.dmp

Filesize
72KB

Download
memory/2168-978-0x0000000009C00000-0x000000000A206000-memory.dmp

Filesize
6.0MB

Download
memory/2168-338-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2168-191-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-193-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-334-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/2168-201-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-215-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-213-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-211-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-209-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-207-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-180-0x0000000004A50000-0x0000000004A8C000-memory.dmp

Filesize
240KB

Download
memory/2168-181-0x0000000007180000-0x00000000071BA000-memory.dmp

Filesize
232KB

Download
memory/2168-183-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-182-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-185-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-187-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-189-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-205-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-195-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-203-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-197-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2168-199-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/3860-167-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-169-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-140-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-138-0x0000000004C70000-0x0000000004C88000-memory.dmp

Filesize
96KB

Download
memory/3860-139-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-172-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/3860-175-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3860-174-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3860-173-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3860-137-0x00000000071B0000-0x00000000076AE000-memory.dmp

Filesize
5.0MB

Download
memory/3860-170-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/3860-165-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-163-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-161-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-159-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-157-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-155-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-151-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-147-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3860-148-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-150-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3860-146-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3860-144-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-142-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3860-136-0x0000000004780000-0x000000000479A000-memory.dmp

Filesize
104KB

Download
memory/3860-135-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/5080-997-0x00000000004B0000-0x00000000004D8000-memory.dmp

Filesize
160KB

Download
memory/5080-998-0x0000000007230000-0x000000000727B000-memory.dmp

Filesize
300KB

Download
memory/5080-999-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download