85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2

Analysis

max time kernel
65s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 12:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe
Size

695KB
MD5

327920cc9d9b7a9e3c9650184c51eff6
SHA1

120b048ae08b6c2fe712178d53cbb84a2bc5a697
SHA256

85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2
SHA512

491bcb0772a2ab077087fea5e59576814e9068632fe1ab2dc6dd8f86ea3cdd16482c11c892aa4114e4e41f8f30c187bd337ebe47d391d8e2f567bfb0beb358b7
SSDEEP

12288:+y90dCmV2WqzvMx0e+zCDtUUFZ71hN5RoPQKhft0Vh9CZW+QAgx4ZRZDOSS8S6:+yI1V2jzk6uDpZhhNnKh1CCZmAE4ZRhx

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	03655651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	03655651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	03655651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	03655651.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	03655651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	03655651.exe

Executes dropped EXE 4 IoCs

pid	Process
4700	un666947.exe
744	03655651.exe
3396	rk063200.exe
1512	si138542.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	03655651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	03655651.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un666947.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un666947.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4000	744	WerFault.exe	84
1164	3396	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
744	03655651.exe
744	03655651.exe
3396	rk063200.exe
3396	rk063200.exe
1512	si138542.exe
1512	si138542.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	03655651.exe
Token: SeDebugPrivilege	3396	rk063200.exe
Token: SeDebugPrivilege	1512	si138542.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 4700	2264	85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe	83
PID 2264 wrote to memory of 4700	2264	85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe	83
PID 2264 wrote to memory of 4700	2264	85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe	83
PID 4700 wrote to memory of 744	4700	un666947.exe	84
PID 4700 wrote to memory of 744	4700	un666947.exe	84
PID 4700 wrote to memory of 744	4700	un666947.exe	84
PID 4700 wrote to memory of 3396	4700	un666947.exe	94
PID 4700 wrote to memory of 3396	4700	un666947.exe	94
PID 4700 wrote to memory of 3396	4700	un666947.exe	94
PID 2264 wrote to memory of 1512	2264	85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe	98
PID 2264 wrote to memory of 1512	2264	85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe	98
PID 2264 wrote to memory of 1512	2264	85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe	98

C:\Users\Admin\AppData\Local\Temp\85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe
"C:\Users\Admin\AppData\Local\Temp\85d903be0377479233db140362639e0e5c1c791e7cddf65c9ade96f2be94e3f2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un666947.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un666947.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03655651.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03655651.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1092
      4⤵
      Program crash
      PID:4000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063200.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063200.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1176
      4⤵
      Program crash
      PID:1164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si138542.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si138542.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 744 -ip 744
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3396 -ip 3396
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si138542.exe

Filesize
136KB

MD5
73cae2858379cab7e68b9e5bf751c372

SHA1
38c375354bda6e5c8fb2579f1ef0416a6c65929a

SHA256
e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

SHA512
343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si138542.exe

Filesize
136KB

MD5
73cae2858379cab7e68b9e5bf751c372

SHA1
38c375354bda6e5c8fb2579f1ef0416a6c65929a

SHA256
e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

SHA512
343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un666947.exe

Filesize
542KB

MD5
49523ef01def0e17ca0d658f648b8d18

SHA1
cb14ad5e3a4891276db8abdbe4c766aaf081deca

SHA256
a293f248956f1d7024c2af70d918443799e0d993b6fdc8bc8fd4c5d86c9c6cc0

SHA512
b441ef5b09adf002475146b9829183f60854f8ab9e281ce463f161fbb1043bb6fb7cd5dff655685352a34c77fbc6f56ca38e2d912f45f0593ed2afafb0b4d55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un666947.exe

Filesize
542KB

MD5
49523ef01def0e17ca0d658f648b8d18

SHA1
cb14ad5e3a4891276db8abdbe4c766aaf081deca

SHA256
a293f248956f1d7024c2af70d918443799e0d993b6fdc8bc8fd4c5d86c9c6cc0

SHA512
b441ef5b09adf002475146b9829183f60854f8ab9e281ce463f161fbb1043bb6fb7cd5dff655685352a34c77fbc6f56ca38e2d912f45f0593ed2afafb0b4d55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03655651.exe

Filesize
258KB

MD5
d14a90f4eca69b383ba48664bce38620

SHA1
08111a74b97005ca3abfc131a910577b2e64751e

SHA256
ab55c2f702f87e8e6a466df3112e602b4e3c0818dc7de86761fbfd75466a84de

SHA512
ac405b037d358bcd47becfe42c6b4a48fd52c37c00a1a617731ddabf6f4eead91d293d1557501859f6653f603aeddbe7652bdd9a4f0539242bf7a96dcd61ba30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03655651.exe

Filesize
258KB

MD5
d14a90f4eca69b383ba48664bce38620

SHA1
08111a74b97005ca3abfc131a910577b2e64751e

SHA256
ab55c2f702f87e8e6a466df3112e602b4e3c0818dc7de86761fbfd75466a84de

SHA512
ac405b037d358bcd47becfe42c6b4a48fd52c37c00a1a617731ddabf6f4eead91d293d1557501859f6653f603aeddbe7652bdd9a4f0539242bf7a96dcd61ba30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063200.exe

Filesize
341KB

MD5
244a194a0d58af5ff98955d7eab42a3e

SHA1
39d0252f48297f535cf2a6c78a5275f895bf6d0f

SHA256
ea1bfb2b824c71fa4d0cce45b70f067c197242df74bed9cfb169008a535c554a

SHA512
f034fa110e8009da61c2c5229b10d4035771e8d30da36153008e62902194147dd793aecda8bf67bdce01d4995f2bd3d24bf5a10f57b53e612808eb8bf1705215

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063200.exe

Filesize
341KB

MD5
244a194a0d58af5ff98955d7eab42a3e

SHA1
39d0252f48297f535cf2a6c78a5275f895bf6d0f

SHA256
ea1bfb2b824c71fa4d0cce45b70f067c197242df74bed9cfb169008a535c554a

SHA512
f034fa110e8009da61c2c5229b10d4035771e8d30da36153008e62902194147dd793aecda8bf67bdce01d4995f2bd3d24bf5a10f57b53e612808eb8bf1705215

Download Submit
memory/744-148-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/744-149-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/744-150-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/744-151-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-152-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-154-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-156-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-158-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-160-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-162-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-164-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-166-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-168-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-170-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-172-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-174-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-176-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-178-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/744-179-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/744-180-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/744-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/744-183-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/744-184-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/744-185-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1512-1007-0x0000000000EC0000-0x0000000000EE8000-memory.dmp

Filesize
160KB

Download
memory/1512-1008-0x0000000007F70000-0x0000000007F80000-memory.dmp

Filesize
64KB

Download
memory/3396-192-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-225-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-196-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-193-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3396-195-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3396-197-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3396-199-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-201-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-203-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-205-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-207-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-209-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-211-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-213-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-215-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-217-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-219-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-221-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-223-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-191-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-227-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3396-986-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

Filesize
6.1MB

Download
memory/3396-987-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/3396-988-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/3396-989-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3396-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/3396-991-0x000000000A740000-0x000000000A7A6000-memory.dmp

Filesize
408KB

Download
memory/3396-992-0x000000000AE00000-0x000000000AE92000-memory.dmp

Filesize
584KB

Download
memory/3396-993-0x000000000AEC0000-0x000000000AF10000-memory.dmp

Filesize
320KB

Download
memory/3396-994-0x000000000AF20000-0x000000000AF96000-memory.dmp

Filesize
472KB

Download
memory/3396-995-0x000000000B0F0000-0x000000000B2B2000-memory.dmp

Filesize
1.8MB

Download
memory/3396-997-0x000000000B2E0000-0x000000000B80C000-memory.dmp

Filesize
5.2MB

Download
memory/3396-998-0x000000000B910000-0x000000000B92E000-memory.dmp

Filesize
120KB

Download
memory/3396-190-0x0000000002C80000-0x0000000002CC6000-memory.dmp

Filesize
280KB

Download
memory/3396-1000-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3396-999-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3396-1001-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download