a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65

Analysis

max time kernel
109s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe
Size

695KB
MD5

e27443752fa90c5f2c37cb2e4e31ce3f
SHA1

842442707532f3c652d6923b013b0548302421ae
SHA256

a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65
SHA512

871804a0755b538c33d789d24b9c5e5e22f53958ef94f1f4eaa09dc7f3266f18e5151e8d4bcee47c2a9229aa81c5ae235386e578ad2734ba8a1ae0e054eef4f6
SSDEEP

12288:ky90fZtWDcXhH1BNrIavVg1q1xg5V3I4kOkX3KVo0iNUm5zSkkxOON:kyvcX3BZ10q1G5IpX3n0iNd5zSkKn

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	60780093.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	60780093.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	60780093.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	60780093.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	60780093.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	60780093.exe

Executes dropped EXE 4 IoCs

pid	Process
1688	un605161.exe
3648	60780093.exe
4384	rk012365.exe
4804	si041172.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	60780093.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	60780093.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un605161.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un605161.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1500	3648	WerFault.exe	86
4736	4384	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3648	60780093.exe
3648	60780093.exe
4384	rk012365.exe
4384	rk012365.exe
4804	si041172.exe
4804	si041172.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3648	60780093.exe
Token: SeDebugPrivilege	4384	rk012365.exe
Token: SeDebugPrivilege	4804	si041172.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 1688	3768	a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe	85
PID 3768 wrote to memory of 1688	3768	a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe	85
PID 3768 wrote to memory of 1688	3768	a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe	85
PID 1688 wrote to memory of 3648	1688	un605161.exe	86
PID 1688 wrote to memory of 3648	1688	un605161.exe	86
PID 1688 wrote to memory of 3648	1688	un605161.exe	86
PID 1688 wrote to memory of 4384	1688	un605161.exe	92
PID 1688 wrote to memory of 4384	1688	un605161.exe	92
PID 1688 wrote to memory of 4384	1688	un605161.exe	92
PID 3768 wrote to memory of 4804	3768	a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe	95
PID 3768 wrote to memory of 4804	3768	a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe	95
PID 3768 wrote to memory of 4804	3768	a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe	95

C:\Users\Admin\AppData\Local\Temp\a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe
"C:\Users\Admin\AppData\Local\Temp\a0fb23cffb9377591fd83a8fb4a67b354a8ed34c64549cfe403b9ea3ff154f65.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un605161.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un605161.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\60780093.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\60780093.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1084
      4⤵
      Program crash
      PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk012365.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk012365.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1964
      4⤵
      Program crash
      PID:4736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si041172.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si041172.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3648 -ip 3648
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4384 -ip 4384
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si041172.exe

Filesize
136KB

MD5
73cae2858379cab7e68b9e5bf751c372

SHA1
38c375354bda6e5c8fb2579f1ef0416a6c65929a

SHA256
e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

SHA512
343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si041172.exe

Filesize
136KB

MD5
73cae2858379cab7e68b9e5bf751c372

SHA1
38c375354bda6e5c8fb2579f1ef0416a6c65929a

SHA256
e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

SHA512
343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un605161.exe

Filesize
542KB

MD5
2638bf0d54f8b34f28c8d9b22c4feb8b

SHA1
cc19a06949d6fb58796ed97d8e89a50ec8b90f52

SHA256
1494fae4dc81df8dffbf20334fd4694d5dfaa8047c9a88419096ee572271caa0

SHA512
d8d35e3d8f9a59f5ba280557fa40f42f90cba3641fd1f345f8d3d0ac8b95b8d8bfeb0f0ca20958bb1d1e11350cd9bbb53f7e4ca78eed38ee44871b6478495ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un605161.exe

Filesize
542KB

MD5
2638bf0d54f8b34f28c8d9b22c4feb8b

SHA1
cc19a06949d6fb58796ed97d8e89a50ec8b90f52

SHA256
1494fae4dc81df8dffbf20334fd4694d5dfaa8047c9a88419096ee572271caa0

SHA512
d8d35e3d8f9a59f5ba280557fa40f42f90cba3641fd1f345f8d3d0ac8b95b8d8bfeb0f0ca20958bb1d1e11350cd9bbb53f7e4ca78eed38ee44871b6478495ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\60780093.exe

Filesize
258KB

MD5
e9561dc867ce7e4cdacccd67567ee3e7

SHA1
df464aaced3c33c061df7beb13ad7de98c42a1cc

SHA256
5e234f53267c591f95bddefba589e440cecbfcf100367b104955a496cce89f45

SHA512
5fadbd46fc1d23dbbf333b4f1aa6795f87e18ba222c14178405b6ba2b17c8cec70b1dbe0d7e02877cefe649744320f822dec3eee454da5649740f4e4954acb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\60780093.exe

Filesize
258KB

MD5
e9561dc867ce7e4cdacccd67567ee3e7

SHA1
df464aaced3c33c061df7beb13ad7de98c42a1cc

SHA256
5e234f53267c591f95bddefba589e440cecbfcf100367b104955a496cce89f45

SHA512
5fadbd46fc1d23dbbf333b4f1aa6795f87e18ba222c14178405b6ba2b17c8cec70b1dbe0d7e02877cefe649744320f822dec3eee454da5649740f4e4954acb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk012365.exe

Filesize
340KB

MD5
2ff1c38bcf25147a7cb38751bab94475

SHA1
97cc50ff5154122d5c24e45a6323fffb92d57cdf

SHA256
8aca5fcee836c4f4344dff09b420c2ae493f8ba9fa2e34efbdb622f6ae935f99

SHA512
3337b4791bd0400e2af9d462e37a0badb8743433d1bb24592cb44cdb2e3bfcc326b6024bdd548cbc69f896a533390b328b23bd3bf02774b6666cd0f8ef4d8ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk012365.exe

Filesize
340KB

MD5
2ff1c38bcf25147a7cb38751bab94475

SHA1
97cc50ff5154122d5c24e45a6323fffb92d57cdf

SHA256
8aca5fcee836c4f4344dff09b420c2ae493f8ba9fa2e34efbdb622f6ae935f99

SHA512
3337b4791bd0400e2af9d462e37a0badb8743433d1bb24592cb44cdb2e3bfcc326b6024bdd548cbc69f896a533390b328b23bd3bf02774b6666cd0f8ef4d8ce2

Download Submit
memory/3648-148-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/3648-149-0x00000000071B0000-0x0000000007754000-memory.dmp

Filesize
5.6MB

Download
memory/3648-150-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-151-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-153-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-155-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-157-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-159-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-161-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-162-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3648-163-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3648-166-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-165-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3648-168-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-170-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-172-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-174-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-176-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-178-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-180-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3648-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3648-183-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3648-184-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3648-185-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4384-190-0x0000000002C80000-0x0000000002CC6000-memory.dmp

Filesize
280KB

Download
memory/4384-191-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4384-192-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4384-193-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-194-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4384-195-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-197-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-199-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-201-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-203-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-205-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-207-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-209-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-211-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-213-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-215-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-217-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-219-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-221-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-223-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-225-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-227-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4384-986-0x0000000009C40000-0x000000000A258000-memory.dmp

Filesize
6.1MB

Download
memory/4384-987-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/4384-988-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/4384-989-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/4384-990-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4384-991-0x000000000A740000-0x000000000A7A6000-memory.dmp

Filesize
408KB

Download
memory/4384-992-0x000000000AE00000-0x000000000AE92000-memory.dmp

Filesize
584KB

Download
memory/4384-993-0x000000000AED0000-0x000000000AF46000-memory.dmp

Filesize
472KB

Download
memory/4384-994-0x000000000AF70000-0x000000000AF8E000-memory.dmp

Filesize
120KB

Download
memory/4384-995-0x000000000B190000-0x000000000B352000-memory.dmp

Filesize
1.8MB

Download
memory/4384-996-0x000000000B360000-0x000000000B88C000-memory.dmp

Filesize
5.2MB

Download
memory/4384-997-0x0000000004A40000-0x0000000004A90000-memory.dmp

Filesize
320KB

Download
memory/4804-1004-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/4804-1005-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download