84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661

Analysis

max time kernel
98s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe
Size

694KB
MD5

7f459715b172300a05782becba49c643
SHA1

c38b3af3ce9a431588fe79d3e57a1ee0fa193cd3
SHA256

84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661
SHA512

9179ae06807b494d703f7fad4393142f884c7a64fbcfb61d3f75ceaebc88eaa5faa18232e8a63f1a06ec9b8d815cc41463546463707fd74d7cd084be61656391
SSDEEP

12288:Qy90bLDJWAbJ8d9wOFTJ1xrtYEwWy6Fd18bSKfA+fWafXZ:QyALDJFolFPxrt7Q6Fd18bSQX

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	71435098.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	71435098.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	71435098.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	71435098.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	71435098.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	71435098.exe

Executes dropped EXE 4 IoCs

pid	Process
4884	un374429.exe
3260	71435098.exe
2512	rk074108.exe
1232	si837935.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	71435098.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	71435098.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un374429.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un374429.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4472	3260	WerFault.exe	84
1324	2512	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3260	71435098.exe
3260	71435098.exe
2512	rk074108.exe
2512	rk074108.exe
1232	si837935.exe
1232	si837935.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	71435098.exe
Token: SeDebugPrivilege	2512	rk074108.exe
Token: SeDebugPrivilege	1232	si837935.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4884	3704	84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe	83
PID 3704 wrote to memory of 4884	3704	84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe	83
PID 3704 wrote to memory of 4884	3704	84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe	83
PID 4884 wrote to memory of 3260	4884	un374429.exe	84
PID 4884 wrote to memory of 3260	4884	un374429.exe	84
PID 4884 wrote to memory of 3260	4884	un374429.exe	84
PID 4884 wrote to memory of 2512	4884	un374429.exe	93
PID 4884 wrote to memory of 2512	4884	un374429.exe	93
PID 4884 wrote to memory of 2512	4884	un374429.exe	93
PID 3704 wrote to memory of 1232	3704	84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe	98
PID 3704 wrote to memory of 1232	3704	84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe	98
PID 3704 wrote to memory of 1232	3704	84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe	98

C:\Users\Admin\AppData\Local\Temp\84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe
"C:\Users\Admin\AppData\Local\Temp\84156a91bb68398a6bde740f94446d774a808a4eb648d497bd1ba8e996daa661.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un374429.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un374429.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\71435098.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\71435098.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1088
      4⤵
      Program crash
      PID:4472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk074108.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk074108.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 2036
      4⤵
      Program crash
      PID:1324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si837935.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si837935.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3260 -ip 3260
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2512 -ip 2512
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si837935.exe

Filesize
136KB

MD5
bddaadcc91f12566dce088dfba102c2a

SHA1
6a141a09619ea3f5bbe2d946df9a8c427beb89f2

SHA256
536a77d74988fc47e1d6b53be4701d289ecf4e3598b02adcd936b4f29017a4f4

SHA512
f4b12e80f23ddbfd3c9fa79a009cb04e372f1ef6b48ea947b8c0fb14dfd3240c497be28023c78005b8dfd36a4080d98a9750606edf0a1fdfe57f53ef494e5c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si837935.exe

Filesize
136KB

MD5
bddaadcc91f12566dce088dfba102c2a

SHA1
6a141a09619ea3f5bbe2d946df9a8c427beb89f2

SHA256
536a77d74988fc47e1d6b53be4701d289ecf4e3598b02adcd936b4f29017a4f4

SHA512
f4b12e80f23ddbfd3c9fa79a009cb04e372f1ef6b48ea947b8c0fb14dfd3240c497be28023c78005b8dfd36a4080d98a9750606edf0a1fdfe57f53ef494e5c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un374429.exe

Filesize
540KB

MD5
2b6f4bfe9f94116ca84299c5169aad71

SHA1
1a668c421c001b4ea659aa7f23e503451f2fe699

SHA256
7f63b740c2ff9b3ce46ae63d4d4a46eed3f21f9945cc08c8f3e699e8bfcde33c

SHA512
22ebbedc0fb7fe6108676fa4aa4ffb23cc7146db0d20b0bc05ab4fc6308bf0e6c8573454481da2951e3b10b20989dac479a03e24bca914faa0cb0a51389c7b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un374429.exe

Filesize
540KB

MD5
2b6f4bfe9f94116ca84299c5169aad71

SHA1
1a668c421c001b4ea659aa7f23e503451f2fe699

SHA256
7f63b740c2ff9b3ce46ae63d4d4a46eed3f21f9945cc08c8f3e699e8bfcde33c

SHA512
22ebbedc0fb7fe6108676fa4aa4ffb23cc7146db0d20b0bc05ab4fc6308bf0e6c8573454481da2951e3b10b20989dac479a03e24bca914faa0cb0a51389c7b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\71435098.exe

Filesize
258KB

MD5
b13d8fe3bc6077c14ed4bd39964624ec

SHA1
4f80a54b43a6d7b00515d9cb942580e7041b7471

SHA256
16e63c811e66d003849d19e6bd586781eb90c84f51af8783cb23a991d971e6d9

SHA512
63260916f4e19d7ac6bee81ff20b369026cf82470d5a8828158e1a94a15a5d9fe7c4692db012166297986aa87ba27ce661ec1a623bbc829d640019836e4c6ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\71435098.exe

Filesize
258KB

MD5
b13d8fe3bc6077c14ed4bd39964624ec

SHA1
4f80a54b43a6d7b00515d9cb942580e7041b7471

SHA256
16e63c811e66d003849d19e6bd586781eb90c84f51af8783cb23a991d971e6d9

SHA512
63260916f4e19d7ac6bee81ff20b369026cf82470d5a8828158e1a94a15a5d9fe7c4692db012166297986aa87ba27ce661ec1a623bbc829d640019836e4c6ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk074108.exe

Filesize
340KB

MD5
2f4fe4e8a936294f77dfa60b0f88493c

SHA1
bab4bbb96742d40dc3d49e718851f102c65ba283

SHA256
9e3a69bfb1f2eb7722c57ee860c921c07ce0722ed78b852cf0547e71331f41e3

SHA512
8972e744ae07dec00cf16e17e5fb2681731bfec79d4993adfb53c311e6dbc023fe7518ddf91bbb4c1f796cbf435e6cf4a49f3356bd8e8035ab662172fb93966e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk074108.exe

Filesize
340KB

MD5
2f4fe4e8a936294f77dfa60b0f88493c

SHA1
bab4bbb96742d40dc3d49e718851f102c65ba283

SHA256
9e3a69bfb1f2eb7722c57ee860c921c07ce0722ed78b852cf0547e71331f41e3

SHA512
8972e744ae07dec00cf16e17e5fb2681731bfec79d4993adfb53c311e6dbc023fe7518ddf91bbb4c1f796cbf435e6cf4a49f3356bd8e8035ab662172fb93966e

Download Submit
memory/1232-1008-0x00000000077E0000-0x00000000077F0000-memory.dmp

Filesize
64KB

Download
memory/1232-1007-0x00000000006E0000-0x0000000000708000-memory.dmp

Filesize
160KB

Download
memory/2512-227-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-990-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2512-1002-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2512-1000-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2512-999-0x000000000B370000-0x000000000B89C000-memory.dmp

Filesize
5.2MB

Download
memory/2512-998-0x000000000B190000-0x000000000B352000-memory.dmp

Filesize
1.8MB

Download
memory/2512-997-0x000000000B100000-0x000000000B150000-memory.dmp

Filesize
320KB

Download
memory/2512-995-0x000000000B070000-0x000000000B08E000-memory.dmp

Filesize
120KB

Download
memory/2512-994-0x000000000AFC0000-0x000000000B036000-memory.dmp

Filesize
472KB

Download
memory/2512-993-0x000000000AF00000-0x000000000AF92000-memory.dmp

Filesize
584KB

Download
memory/2512-992-0x000000000A840000-0x000000000A8A6000-memory.dmp

Filesize
408KB

Download
memory/2512-991-0x000000000A540000-0x000000000A57C000-memory.dmp

Filesize
240KB

Download
memory/2512-989-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1.0MB

Download
memory/2512-988-0x000000000A400000-0x000000000A412000-memory.dmp

Filesize
72KB

Download
memory/2512-987-0x0000000009DE0000-0x000000000A3F8000-memory.dmp

Filesize
6.1MB

Download
memory/2512-284-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2512-225-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-223-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-221-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-219-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-217-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-191-0x00000000046E0000-0x0000000004726000-memory.dmp

Filesize
280KB

Download
memory/2512-193-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2512-192-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2512-194-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-195-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-197-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-199-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-201-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-203-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-205-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-207-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-209-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-211-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-213-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/2512-215-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3260-174-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-151-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/3260-186-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3260-184-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/3260-183-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/3260-152-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/3260-182-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/3260-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3260-180-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-178-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-156-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-176-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-154-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-170-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-153-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-168-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-166-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-164-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-162-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-160-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-158-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-172-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/3260-150-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/3260-149-0x0000000007250000-0x00000000077F4000-memory.dmp

Filesize
5.6MB

Download
memory/3260-148-0x0000000003060000-0x000000000308D000-memory.dmp

Filesize
180KB

Download