ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe
Size

694KB
MD5

d7d159afb2c4d6e507ce4f6a906bc63d
SHA1

99939613a7317775088a7af56c408fd9b12f1535
SHA256

ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984
SHA512

a3ba241616bc84760ac0c36575f3041669f85843c0e9827487344895c4e8bbe3ba440480e96862b4c6ea95784adf97f44a66f6a4a90ff96d97229f38d9459d4f
SSDEEP

12288:Qy90LUvx33SvsqOhgMv2ootaQkeS/AsJtbXwUn5vleu2KivgrW:QylvxyvlKgMvvoU7jbXwU3WKiv/

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	45025868.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	45025868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	45025868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	45025868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	45025868.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	45025868.exe

Executes dropped EXE 4 IoCs

pid	Process
4160	un389176.exe
4260	45025868.exe
3852	rk537005.exe
3928	si681973.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	45025868.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	45025868.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un389176.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un389176.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2372	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4908	4260	WerFault.exe	85
2284	3852	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4260	45025868.exe
4260	45025868.exe
3852	rk537005.exe
3852	rk537005.exe
3928	si681973.exe
3928	si681973.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	45025868.exe
Token: SeDebugPrivilege	3852	rk537005.exe
Token: SeDebugPrivilege	3928	si681973.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4160	2680	ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe	84
PID 2680 wrote to memory of 4160	2680	ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe	84
PID 2680 wrote to memory of 4160	2680	ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe	84
PID 4160 wrote to memory of 4260	4160	un389176.exe	85
PID 4160 wrote to memory of 4260	4160	un389176.exe	85
PID 4160 wrote to memory of 4260	4160	un389176.exe	85
PID 4160 wrote to memory of 3852	4160	un389176.exe	91
PID 4160 wrote to memory of 3852	4160	un389176.exe	91
PID 4160 wrote to memory of 3852	4160	un389176.exe	91
PID 2680 wrote to memory of 3928	2680	ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe	95
PID 2680 wrote to memory of 3928	2680	ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe	95
PID 2680 wrote to memory of 3928	2680	ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe	95

C:\Users\Admin\AppData\Local\Temp\ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe
"C:\Users\Admin\AppData\Local\Temp\ef1928f8c4cdc932de0e93dbae780dada3f68435c668e1a089d9b70d65f42984.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un389176.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un389176.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\45025868.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\45025868.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 1072
      4⤵
      Program crash
      PID:4908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk537005.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk537005.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1880
      4⤵
      Program crash
      PID:2284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si681973.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si681973.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4260 -ip 4260
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3852 -ip 3852
1⤵
PID:452

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si681973.exe

Filesize
136KB

MD5
73cae2858379cab7e68b9e5bf751c372

SHA1
38c375354bda6e5c8fb2579f1ef0416a6c65929a

SHA256
e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

SHA512
343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si681973.exe

Filesize
136KB

MD5
73cae2858379cab7e68b9e5bf751c372

SHA1
38c375354bda6e5c8fb2579f1ef0416a6c65929a

SHA256
e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

SHA512
343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un389176.exe

Filesize
540KB

MD5
392863c25f1826930fa03919e93e10f9

SHA1
f741b2e2daca66a4b1adbbf0c1a8998cab4b54e3

SHA256
2af4acf2469283f9070545edc4ed919d24ed720e7d3690ac0891e53c3b898a41

SHA512
f2ddb7393a79b62a61cfa74588609719af77726000c6d609fd23dc3732c9833cb5903825a134403f33143107082682245055545ec4d1c5a15d716400f2776438

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un389176.exe

Filesize
540KB

MD5
392863c25f1826930fa03919e93e10f9

SHA1
f741b2e2daca66a4b1adbbf0c1a8998cab4b54e3

SHA256
2af4acf2469283f9070545edc4ed919d24ed720e7d3690ac0891e53c3b898a41

SHA512
f2ddb7393a79b62a61cfa74588609719af77726000c6d609fd23dc3732c9833cb5903825a134403f33143107082682245055545ec4d1c5a15d716400f2776438

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\45025868.exe

Filesize
257KB

MD5
227ad85d7fc9e27175c13c75bf2bfd8f

SHA1
a3e7f08ab00b9a054fdf04016d1ea446f3b44a21

SHA256
045aaa75f96c1bb47c42ad0e20d04eda8e80ff280cbabdd862180593e197fa1a

SHA512
7881c560c601c25b44830043fedb78d99db7df60bfc64bb40ab923ea775092c4a945e6576052ae0c1931ca707b3dd7bcd9aac334591288087ad5457cd134e1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\45025868.exe

Filesize
257KB

MD5
227ad85d7fc9e27175c13c75bf2bfd8f

SHA1
a3e7f08ab00b9a054fdf04016d1ea446f3b44a21

SHA256
045aaa75f96c1bb47c42ad0e20d04eda8e80ff280cbabdd862180593e197fa1a

SHA512
7881c560c601c25b44830043fedb78d99db7df60bfc64bb40ab923ea775092c4a945e6576052ae0c1931ca707b3dd7bcd9aac334591288087ad5457cd134e1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk537005.exe

Filesize
340KB

MD5
d51cce90a3ec98840fc04dbd3fd059ec

SHA1
c40659fe54a1ef7400320173afdae370a266c908

SHA256
f44df98a4085f23a7f4d2746797d613b7a8b4c67c2630d0bd8b6db48c6279385

SHA512
9f5095c9d49ad0c726939ca7a44ef80565867ba061b9b3247631a1b024fa07ca4c0dd3d988c475f2152676f7638d7f5704876d546e866cc5dcd4840629d5ed1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk537005.exe

Filesize
340KB

MD5
d51cce90a3ec98840fc04dbd3fd059ec

SHA1
c40659fe54a1ef7400320173afdae370a266c908

SHA256
f44df98a4085f23a7f4d2746797d613b7a8b4c67c2630d0bd8b6db48c6279385

SHA512
9f5095c9d49ad0c726939ca7a44ef80565867ba061b9b3247631a1b024fa07ca4c0dd3d988c475f2152676f7638d7f5704876d546e866cc5dcd4840629d5ed1b

Download Submit
memory/3852-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/3852-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/3852-1002-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3852-1001-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3852-1000-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3852-999-0x000000000B910000-0x000000000B92E000-memory.dmp

Filesize
120KB

Download
memory/3852-997-0x000000000B2E0000-0x000000000B80C000-memory.dmp

Filesize
5.2MB

Download
memory/3852-996-0x000000000B0F0000-0x000000000B2B2000-memory.dmp

Filesize
1.8MB

Download
memory/3852-995-0x000000000B020000-0x000000000B096000-memory.dmp

Filesize
472KB

Download
memory/3852-994-0x000000000AFC0000-0x000000000B010000-memory.dmp

Filesize
320KB

Download
memory/3852-993-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/3852-992-0x000000000A740000-0x000000000A7A6000-memory.dmp

Filesize
408KB

Download
memory/3852-991-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3852-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/3852-203-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-987-0x0000000009C80000-0x000000000A298000-memory.dmp

Filesize
6.1MB

Download
memory/3852-228-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-226-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-224-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-222-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-207-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-218-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3852-220-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-191-0x0000000002C80000-0x0000000002CC6000-memory.dmp

Filesize
280KB

Download
memory/3852-192-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-193-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-195-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-197-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-199-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-201-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-219-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3852-209-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-215-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-205-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-211-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-213-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3852-216-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3928-1008-0x0000000000D20000-0x0000000000D48000-memory.dmp

Filesize
160KB

Download
memory/3928-1009-0x0000000007DD0000-0x0000000007DE0000-memory.dmp

Filesize
64KB

Download
memory/4260-156-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-149-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4260-185-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4260-184-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4260-182-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4260-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4260-180-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4260-150-0x0000000007280000-0x0000000007824000-memory.dmp

Filesize
5.6MB

Download
memory/4260-179-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4260-154-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-178-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-186-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4260-174-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-168-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-172-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-166-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-164-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-162-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-160-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-158-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-176-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-170-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-148-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/4260-152-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download
memory/4260-151-0x0000000004D60000-0x0000000004D73000-memory.dmp

Filesize
76KB

Download