fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe
Size

695KB
MD5

e5c7f2b6b62dff9e95c160a63e95c0cf
SHA1

52dc586e7c1783f723604fb78d0f3a2d22507c79
SHA256

fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e
SHA512

f930134ba5130b11882f1b52c18a2fec9dee6f453d278504dd6c25e306bebf7d81a58857fe181400a3efd46cd4c30d5622a4f4a83935d0b233eb362c8a1417e6
SSDEEP

12288:Zy90niAge5+LG9RzFiBW3rWecogh/q0gHedU2ld3j/dX+u4VT8nQFZRhuVHf0iDz:Zye2GfccrBcoggl8U2lNj/MTUyj8MTef

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	47101728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	47101728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	47101728.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	47101728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	47101728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	47101728.exe

Executes dropped EXE 4 IoCs

pid	Process
1380	un063342.exe
2168	47101728.exe
3744	rk063864.exe
3880	si566548.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	47101728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	47101728.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un063342.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un063342.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1920	2168	WerFault.exe	83
4932	3744	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2168	47101728.exe
2168	47101728.exe
3744	rk063864.exe
3744	rk063864.exe
3880	si566548.exe
3880	si566548.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	47101728.exe
Token: SeDebugPrivilege	3744	rk063864.exe
Token: SeDebugPrivilege	3880	si566548.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1380	2312	fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe	82
PID 2312 wrote to memory of 1380	2312	fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe	82
PID 2312 wrote to memory of 1380	2312	fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe	82
PID 1380 wrote to memory of 2168	1380	un063342.exe	83
PID 1380 wrote to memory of 2168	1380	un063342.exe	83
PID 1380 wrote to memory of 2168	1380	un063342.exe	83
PID 1380 wrote to memory of 3744	1380	un063342.exe	89
PID 1380 wrote to memory of 3744	1380	un063342.exe	89
PID 1380 wrote to memory of 3744	1380	un063342.exe	89
PID 2312 wrote to memory of 3880	2312	fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe	92
PID 2312 wrote to memory of 3880	2312	fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe	92
PID 2312 wrote to memory of 3880	2312	fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe	92

C:\Users\Admin\AppData\Local\Temp\fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe
"C:\Users\Admin\AppData\Local\Temp\fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un063342.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un063342.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47101728.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47101728.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1080
      4⤵
      Program crash
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063864.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063864.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1428
      4⤵
      Program crash
      PID:4932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si566548.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si566548.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2168 -ip 2168
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3744 -ip 3744
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si566548.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si566548.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un063342.exe

Filesize
541KB

MD5
3e4b33cd8cf6f7f2bfb0082e8f4b9bae

SHA1
225c47ab7087ab6f7c402a868d3f49511e1d4332

SHA256
486d19d1ba95e75336f79b43259f2760f0d46105d2213631d8b2ca56acfa3331

SHA512
9e7558d8524ec366d3e8fa5399fd4c2abfd426ff27d065439bf4ebfbc11335da992430ed8bde0b573580aa69dae5d6c0aff44c7b30ae551b2db9cde004490195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un063342.exe

Filesize
541KB

MD5
3e4b33cd8cf6f7f2bfb0082e8f4b9bae

SHA1
225c47ab7087ab6f7c402a868d3f49511e1d4332

SHA256
486d19d1ba95e75336f79b43259f2760f0d46105d2213631d8b2ca56acfa3331

SHA512
9e7558d8524ec366d3e8fa5399fd4c2abfd426ff27d065439bf4ebfbc11335da992430ed8bde0b573580aa69dae5d6c0aff44c7b30ae551b2db9cde004490195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47101728.exe

Filesize
264KB

MD5
2ac2a70a02a0d8d3c7b3f1a9bbf26628

SHA1
1e6813dc131a5cd09c9213906a1227302dc43efe

SHA256
d01896b6581ba0b323b555f6b80e4a322a57787ec971c3e5ce1035a92c9bda73

SHA512
bf631468907c811b9c1326c358f27ec9226dfd9c13e5aa5a7de6f7ec231e0c7a137134a954ec0aef86d8d56cdfcb2c5a3381354e458b0ddc9254ac323c92ac42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47101728.exe

Filesize
264KB

MD5
2ac2a70a02a0d8d3c7b3f1a9bbf26628

SHA1
1e6813dc131a5cd09c9213906a1227302dc43efe

SHA256
d01896b6581ba0b323b555f6b80e4a322a57787ec971c3e5ce1035a92c9bda73

SHA512
bf631468907c811b9c1326c358f27ec9226dfd9c13e5aa5a7de6f7ec231e0c7a137134a954ec0aef86d8d56cdfcb2c5a3381354e458b0ddc9254ac323c92ac42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063864.exe

Filesize
348KB

MD5
249dbb64423a7247d09f1e38d35e4c50

SHA1
9dcd2873f78efe61fb03fc25283bebea106d3d13

SHA256
bcbcfa55a9299de1b177ebe5a935a14daf76a70211511deb1920238047f1a2d2

SHA512
679dc0a5e9dd885db20624636305c895c48e97b28fe3007a1b591ac572324fd7179a69f6e4094cc855f5d54706bed2fe51f2d1fff07c79cb608898f850ea5fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063864.exe

Filesize
348KB

MD5
249dbb64423a7247d09f1e38d35e4c50

SHA1
9dcd2873f78efe61fb03fc25283bebea106d3d13

SHA256
bcbcfa55a9299de1b177ebe5a935a14daf76a70211511deb1920238047f1a2d2

SHA512
679dc0a5e9dd885db20624636305c895c48e97b28fe3007a1b591ac572324fd7179a69f6e4094cc855f5d54706bed2fe51f2d1fff07c79cb608898f850ea5fa5

Download Submit
memory/2168-149-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/2168-150-0x0000000002C00000-0x0000000002C2D000-memory.dmp

Filesize
180KB

Download
memory/2168-153-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-152-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-154-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2168-151-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2168-156-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2168-157-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-159-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-161-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-163-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-165-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-169-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-167-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-171-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-173-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-175-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-177-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-181-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-179-0x0000000004BB0000-0x0000000004BC3000-memory.dmp

Filesize
76KB

Download
memory/2168-182-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2168-184-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2168-186-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2168-185-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2168-187-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3744-195-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-211-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-197-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-193-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-199-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-201-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-203-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-205-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-207-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-209-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-212-0x00000000046C0000-0x0000000004706000-memory.dmp

Filesize
280KB

Download
memory/3744-214-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/3744-216-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/3744-218-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/3744-219-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-221-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-215-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-192-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-223-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-225-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-227-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-229-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3744-988-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/3744-989-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/3744-990-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/3744-991-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/3744-992-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/3744-993-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/3744-994-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/3744-995-0x000000000AFE0000-0x000000000B056000-memory.dmp

Filesize
472KB

Download
memory/3744-996-0x000000000B0B0000-0x000000000B272000-memory.dmp

Filesize
1.8MB

Download
memory/3744-997-0x000000000B290000-0x000000000B7BC000-memory.dmp

Filesize
5.2MB

Download
memory/3744-998-0x000000000B8D0000-0x000000000B8EE000-memory.dmp

Filesize
120KB

Download
memory/3744-999-0x0000000006BC0000-0x0000000006C10000-memory.dmp

Filesize
320KB

Download
memory/3880-1006-0x0000000000C30000-0x0000000000C58000-memory.dmp

Filesize
160KB

Download
memory/3880-1007-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download