6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764

Analysis

max time kernel
111s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe
Size

700KB
MD5

2a72e3a4040e2be85d37c2f61da7acc7
SHA1

7cabb464d8606f5002431ddc39502ef3e28742fd
SHA256

6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764
SHA512

5ffff2b576e9dec0fcaa97b0b1918e4e769bcd8f012ed9e5548816a03b0bdd867034a20603043db768f7300c0ab3c4d081f67216fdea56a0f267d20c24fcd5fe
SSDEEP

12288:ry90fSUVrmdTFm0OQYVw4iFikBFaIqZzN9iedwzt+STPYvQmRYqsANqUJDPE:ryAVqdogYVZqiXPv9iedwJ+5v9vzlE

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	63179156.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	63179156.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	63179156.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	63179156.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	63179156.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	63179156.exe

Executes dropped EXE 4 IoCs

pid	Process
4416	un531177.exe
1160	63179156.exe
4604	rk635656.exe
4820	si490881.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	63179156.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	63179156.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un531177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un531177.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4744	1160	WerFault.exe	84
4132	4604	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1160	63179156.exe
1160	63179156.exe
4604	rk635656.exe
4604	rk635656.exe
4820	si490881.exe
4820	si490881.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	63179156.exe
Token: SeDebugPrivilege	4604	rk635656.exe
Token: SeDebugPrivilege	4820	si490881.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 4416	3744	6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe	83
PID 3744 wrote to memory of 4416	3744	6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe	83
PID 3744 wrote to memory of 4416	3744	6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe	83
PID 4416 wrote to memory of 1160	4416	un531177.exe	84
PID 4416 wrote to memory of 1160	4416	un531177.exe	84
PID 4416 wrote to memory of 1160	4416	un531177.exe	84
PID 4416 wrote to memory of 4604	4416	un531177.exe	92
PID 4416 wrote to memory of 4604	4416	un531177.exe	92
PID 4416 wrote to memory of 4604	4416	un531177.exe	92
PID 3744 wrote to memory of 4820	3744	6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe	95
PID 3744 wrote to memory of 4820	3744	6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe	95
PID 3744 wrote to memory of 4820	3744	6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe	95

C:\Users\Admin\AppData\Local\Temp\6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe
"C:\Users\Admin\AppData\Local\Temp\6f8e0305643182a43f28eda4d868988d380aea569f9bee9dbec9a87a126b3764.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un531177.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un531177.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63179156.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63179156.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 1076
      4⤵
      Program crash
      PID:4744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk635656.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk635656.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1312
      4⤵
      Program crash
      PID:4132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si490881.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si490881.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1160 -ip 1160
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4604 -ip 4604
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si490881.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si490881.exe

Filesize
136KB

MD5
b9f17cc95395f13838ba119abc3f742f

SHA1
ecdbc7ef78234c1c7009fdbc6f744c511067767d

SHA256
2e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15

SHA512
bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un531177.exe

Filesize
546KB

MD5
3d0e0d141074e9f3ddefc8c8ec3b931f

SHA1
35b7efc8a12362b56a082bad985841e4369fc303

SHA256
81e824d089239efa72f69404c743d8c127a74e621d24c72f90d161d47aebb7bc

SHA512
2d746bcee0f30881b8786fb46215dde12120adc922420478f86740d570456bb09c7229f652565c605192f44ecdf76fe8e831ade7262b17c9c9a01046c44f84da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un531177.exe

Filesize
546KB

MD5
3d0e0d141074e9f3ddefc8c8ec3b931f

SHA1
35b7efc8a12362b56a082bad985841e4369fc303

SHA256
81e824d089239efa72f69404c743d8c127a74e621d24c72f90d161d47aebb7bc

SHA512
2d746bcee0f30881b8786fb46215dde12120adc922420478f86740d570456bb09c7229f652565c605192f44ecdf76fe8e831ade7262b17c9c9a01046c44f84da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63179156.exe

Filesize
269KB

MD5
bd63658617dbfdf96d3e7e9fc878f344

SHA1
54cbcc7c0b9dcf4f16fc2d6bbb376b2629f09cab

SHA256
15141fd27f7bdba93e878107cacd3eea0abc147ce9b23c61436b22c7a34309e9

SHA512
cb1e19b7cc92c7f7f204e8d6441fd1c7523453f56ecd10f020179b91d9dde922b6d072dfbb8dcd9e2443821f320dc83d895151a10bd22b6d252c920cf15ea66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63179156.exe

Filesize
269KB

MD5
bd63658617dbfdf96d3e7e9fc878f344

SHA1
54cbcc7c0b9dcf4f16fc2d6bbb376b2629f09cab

SHA256
15141fd27f7bdba93e878107cacd3eea0abc147ce9b23c61436b22c7a34309e9

SHA512
cb1e19b7cc92c7f7f204e8d6441fd1c7523453f56ecd10f020179b91d9dde922b6d072dfbb8dcd9e2443821f320dc83d895151a10bd22b6d252c920cf15ea66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk635656.exe

Filesize
353KB

MD5
d39825e9441ffeab7080d6ec42d8e155

SHA1
6963ced087be1065e2870b42226932cc23a91e00

SHA256
f7acdde4150f408853d0f9374615c5b54f69f19f8c9a33ed80023f5176273231

SHA512
bf532f3789baf79c3ed717a2a67d10bd14b22741a1688592a2ac0bdd635bacacc3eab200340c5ee03c7bc32c92aa97517236bc112b50387a2728663d0c3f6921

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk635656.exe

Filesize
353KB

MD5
d39825e9441ffeab7080d6ec42d8e155

SHA1
6963ced087be1065e2870b42226932cc23a91e00

SHA256
f7acdde4150f408853d0f9374615c5b54f69f19f8c9a33ed80023f5176273231

SHA512
bf532f3789baf79c3ed717a2a67d10bd14b22741a1688592a2ac0bdd635bacacc3eab200340c5ee03c7bc32c92aa97517236bc112b50387a2728663d0c3f6921

Download Submit
memory/1160-148-0x0000000002BC0000-0x0000000002BED000-memory.dmp

Filesize
180KB

Download
memory/1160-149-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/1160-150-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/1160-151-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/1160-152-0x0000000007120000-0x00000000076C4000-memory.dmp

Filesize
5.6MB

Download
memory/1160-153-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-156-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-154-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-158-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-160-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-162-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-164-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-166-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-168-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-170-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-172-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-174-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-176-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-178-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-180-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/1160-181-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/1160-182-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/1160-183-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/1160-184-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/1160-186-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/4604-194-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-192-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-195-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4604-193-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4604-191-0x0000000002BC0000-0x0000000002C06000-memory.dmp

Filesize
280KB

Download
memory/4604-197-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4604-198-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-200-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-202-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-204-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-206-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-208-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-210-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-212-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-214-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-216-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-218-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-220-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-222-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-224-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-226-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-228-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4604-987-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/4604-988-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/4604-989-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/4604-990-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/4604-991-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4604-992-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/4604-993-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/4604-994-0x000000000AEC0000-0x000000000AF36000-memory.dmp

Filesize
472KB

Download
memory/4604-995-0x000000000AF80000-0x000000000AF9E000-memory.dmp

Filesize
120KB

Download
memory/4604-996-0x000000000B010000-0x000000000B060000-memory.dmp

Filesize
320KB

Download
memory/4604-997-0x000000000B1A0000-0x000000000B362000-memory.dmp

Filesize
1.8MB

Download
memory/4604-998-0x000000000B380000-0x000000000B8AC000-memory.dmp

Filesize
5.2MB

Download
memory/4820-1006-0x0000000000A20000-0x0000000000A48000-memory.dmp

Filesize
160KB

Download
memory/4820-1007-0x0000000007B60000-0x0000000007B70000-memory.dmp

Filesize
64KB

Download