b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59

Analysis

max time kernel
99s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 04:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe
Size

695KB
MD5

621ca7c2d703d6e97ff70a99fddb1479
SHA1

0a6144c70039cc3f17ee3cd5c65778dbf44dc7dd
SHA256

b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59
SHA512

49617d4959d7da3f81849bdbd3af7d4633317968770c41d416c9585292ca379b7afa8e41a0bc3215cb27dfcfa1a2ca9b162afe88a391b938848b350521c0edb7
SSDEEP

12288:vy90bJRoBpMnxZ1IaMIDK4A6uOYll2B/Z/46W26ci18b0KFA+6BoxXvdXrRb8xR6:vyGJRoQVI7IDK4but7q6ci18b0yDxdFD

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	84565292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	84565292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	84565292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	84565292.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	84565292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	84565292.exe

Executes dropped EXE 4 IoCs

pid	Process
4872	un003931.exe
4604	84565292.exe
2536	rk282371.exe
780	si458733.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	84565292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	84565292.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un003931.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un003931.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4948	4604	WerFault.exe	85
4936	2536	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4604	84565292.exe
4604	84565292.exe
2536	rk282371.exe
2536	rk282371.exe
780	si458733.exe
780	si458733.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	84565292.exe
Token: SeDebugPrivilege	2536	rk282371.exe
Token: SeDebugPrivilege	780	si458733.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 4872	1020	b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe	84
PID 1020 wrote to memory of 4872	1020	b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe	84
PID 1020 wrote to memory of 4872	1020	b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe	84
PID 4872 wrote to memory of 4604	4872	un003931.exe	85
PID 4872 wrote to memory of 4604	4872	un003931.exe	85
PID 4872 wrote to memory of 4604	4872	un003931.exe	85
PID 4872 wrote to memory of 2536	4872	un003931.exe	91
PID 4872 wrote to memory of 2536	4872	un003931.exe	91
PID 4872 wrote to memory of 2536	4872	un003931.exe	91
PID 1020 wrote to memory of 780	1020	b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe	94
PID 1020 wrote to memory of 780	1020	b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe	94
PID 1020 wrote to memory of 780	1020	b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe	94

C:\Users\Admin\AppData\Local\Temp\b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe
"C:\Users\Admin\AppData\Local\Temp\b33a2d1ef1f808a708e621b969d2a37e606c43762717e94f94a841b871801e59.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un003931.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un003931.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84565292.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84565292.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1080
      4⤵
      Program crash
      PID:4948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk282371.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk282371.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1356
      4⤵
      Program crash
      PID:4936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si458733.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si458733.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4604 -ip 4604
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2536 -ip 2536
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si458733.exe

Filesize
136KB

MD5
bddaadcc91f12566dce088dfba102c2a

SHA1
6a141a09619ea3f5bbe2d946df9a8c427beb89f2

SHA256
536a77d74988fc47e1d6b53be4701d289ecf4e3598b02adcd936b4f29017a4f4

SHA512
f4b12e80f23ddbfd3c9fa79a009cb04e372f1ef6b48ea947b8c0fb14dfd3240c497be28023c78005b8dfd36a4080d98a9750606edf0a1fdfe57f53ef494e5c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si458733.exe

Filesize
136KB

MD5
bddaadcc91f12566dce088dfba102c2a

SHA1
6a141a09619ea3f5bbe2d946df9a8c427beb89f2

SHA256
536a77d74988fc47e1d6b53be4701d289ecf4e3598b02adcd936b4f29017a4f4

SHA512
f4b12e80f23ddbfd3c9fa79a009cb04e372f1ef6b48ea947b8c0fb14dfd3240c497be28023c78005b8dfd36a4080d98a9750606edf0a1fdfe57f53ef494e5c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un003931.exe

Filesize
541KB

MD5
a025cc907f7219f605d57b8fee86b7dd

SHA1
9bf7016e25239097b865f0c69fc638154a724da9

SHA256
762c8aec21ca83ea1e5b491cd8ecf8ef0e1af00672fd3eaca3804d974670bb9d

SHA512
095f069358dcf1852e7bd240384299555f03f02e629235287b53f50c994471b7bb21161137abd962daa17ca84ebc51994952579e656be97f1f7768db4b3cfbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un003931.exe

Filesize
541KB

MD5
a025cc907f7219f605d57b8fee86b7dd

SHA1
9bf7016e25239097b865f0c69fc638154a724da9

SHA256
762c8aec21ca83ea1e5b491cd8ecf8ef0e1af00672fd3eaca3804d974670bb9d

SHA512
095f069358dcf1852e7bd240384299555f03f02e629235287b53f50c994471b7bb21161137abd962daa17ca84ebc51994952579e656be97f1f7768db4b3cfbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84565292.exe

Filesize
258KB

MD5
b3ca00cd26e23399d8340e0176e3e785

SHA1
59e4fb6c4a07352e81d70c04b15ad99a7eb32dee

SHA256
55e697e076fad6b08971aa569afdf60cf60f836ce19ff85bb5cc496d86aaa59a

SHA512
868a9b8e9e867fbfa6d869e1a1f6e8a06291cfc253928972356020dd358b248d9409ce904f5e092b52d223a813a986cb191e41f1a4ab3143c043bdcd1299f8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84565292.exe

Filesize
258KB

MD5
b3ca00cd26e23399d8340e0176e3e785

SHA1
59e4fb6c4a07352e81d70c04b15ad99a7eb32dee

SHA256
55e697e076fad6b08971aa569afdf60cf60f836ce19ff85bb5cc496d86aaa59a

SHA512
868a9b8e9e867fbfa6d869e1a1f6e8a06291cfc253928972356020dd358b248d9409ce904f5e092b52d223a813a986cb191e41f1a4ab3143c043bdcd1299f8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk282371.exe

Filesize
340KB

MD5
bd5374f3fc658cf100e81076c35766bb

SHA1
abe4adaaae152e431423b33a7b0af06729e1360c

SHA256
0ccabf6c1ebcafea1837102bb89968b2437f9c1cfc1cbf521b590e09f18c659f

SHA512
4528632be7072be678c4ce409bbb241a4af3f0235093349cd9e7d9d6b4189ba163ba9b38eb759cf01052d04f49aa16a187b2ed2ea287522ab045db1706ceddf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk282371.exe

Filesize
340KB

MD5
bd5374f3fc658cf100e81076c35766bb

SHA1
abe4adaaae152e431423b33a7b0af06729e1360c

SHA256
0ccabf6c1ebcafea1837102bb89968b2437f9c1cfc1cbf521b590e09f18c659f

SHA512
4528632be7072be678c4ce409bbb241a4af3f0235093349cd9e7d9d6b4189ba163ba9b38eb759cf01052d04f49aa16a187b2ed2ea287522ab045db1706ceddf4

Download Submit
memory/780-1007-0x0000000007730000-0x0000000007740000-memory.dmp

Filesize
64KB

Download
memory/780-1006-0x0000000000640000-0x0000000000668000-memory.dmp

Filesize
160KB

Download
memory/2536-226-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-987-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/2536-998-0x000000000B5C0000-0x000000000BAEC000-memory.dmp

Filesize
5.2MB

Download
memory/2536-997-0x000000000B3F0000-0x000000000B5B2000-memory.dmp

Filesize
1.8MB

Download
memory/2536-996-0x000000000AFD0000-0x000000000AFEE000-memory.dmp

Filesize
120KB

Download
memory/2536-995-0x000000000AF20000-0x000000000AF96000-memory.dmp

Filesize
472KB

Download
memory/2536-994-0x000000000AEC0000-0x000000000AF10000-memory.dmp

Filesize
320KB

Download
memory/2536-993-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/2536-992-0x000000000A740000-0x000000000A7A6000-memory.dmp

Filesize
408KB

Download
memory/2536-991-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2536-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/2536-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/2536-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/2536-228-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-224-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-222-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-220-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-218-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-216-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-214-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-212-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-191-0x0000000002F20000-0x0000000002F66000-memory.dmp

Filesize
280KB

Download
memory/2536-192-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2536-193-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2536-194-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2536-196-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-195-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-198-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-200-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-202-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-204-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-206-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-208-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/2536-210-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4604-177-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-151-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-186-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4604-185-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4604-184-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4604-183-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4604-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4604-153-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-180-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4604-159-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-179-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4604-178-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4604-157-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-173-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-155-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-171-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-169-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-167-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-165-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-163-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-161-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-175-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-150-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/4604-149-0x0000000007180000-0x0000000007724000-memory.dmp

Filesize
5.6MB

Download
memory/4604-148-0x0000000002CE0000-0x0000000002D0D000-memory.dmp

Filesize
180KB

Download