92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f

Analysis

max time kernel
97s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe
Size

694KB
MD5

b5d1b8bee757a40c9ad4052616a1afa9
SHA1

3adc8e0c96393937206455aa6b5c85262d348ffd
SHA256

92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f
SHA512

53564fee73bd807ef77e27406895b256740a6747b10e2a0785d67c6455cb97db09fc5f154bf378525e0708759a87b360f662055bad519c876ae10a4e10c8c7a9
SSDEEP

12288:Ey90OU6dtdyMK/bd16ouYXcwv9AK1gmSQNZRhuVHc0iDMe76iBKWwB:EyZU6q/Z16Oci9p+mSWjid7e76iBr+

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	79492487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	79492487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	79492487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	79492487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	79492487.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	79492487.exe

Executes dropped EXE 4 IoCs

pid	Process
4156	un233288.exe
4760	79492487.exe
2016	rk768277.exe
3500	si212961.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	79492487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	79492487.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un233288.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un233288.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2540	4760	WerFault.exe	86
744	2016	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4760	79492487.exe
4760	79492487.exe
2016	rk768277.exe
2016	rk768277.exe
3500	si212961.exe
3500	si212961.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	79492487.exe
Token: SeDebugPrivilege	2016	rk768277.exe
Token: SeDebugPrivilege	3500	si212961.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4156	4504	92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe	85
PID 4504 wrote to memory of 4156	4504	92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe	85
PID 4504 wrote to memory of 4156	4504	92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe	85
PID 4156 wrote to memory of 4760	4156	un233288.exe	86
PID 4156 wrote to memory of 4760	4156	un233288.exe	86
PID 4156 wrote to memory of 4760	4156	un233288.exe	86
PID 4156 wrote to memory of 2016	4156	un233288.exe	92
PID 4156 wrote to memory of 2016	4156	un233288.exe	92
PID 4156 wrote to memory of 2016	4156	un233288.exe	92
PID 4504 wrote to memory of 3500	4504	92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe	95
PID 4504 wrote to memory of 3500	4504	92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe	95
PID 4504 wrote to memory of 3500	4504	92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe	95

C:\Users\Admin\AppData\Local\Temp\92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe
"C:\Users\Admin\AppData\Local\Temp\92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233288.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233288.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79492487.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79492487.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1088
      4⤵
      Program crash
      PID:2540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768277.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768277.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2000
      4⤵
      Program crash
      PID:744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si212961.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si212961.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4760 -ip 4760
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2016 -ip 2016
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si212961.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si212961.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233288.exe

Filesize
540KB

MD5
7d586674121200257ab72e873e74137b

SHA1
8a248c496c62d1c517706422385dd187ffd7418f

SHA256
b2743c8d70677103a56dcf0cea5cd28b74dc4001c445f8d317077cd9783c6514

SHA512
e44b4419e62d2e5ce50f1985af7e7c82adac42e983ac4c681aae308600afe2c9d343251e9030189a325537b1044868f9784cb26a98c0cc010476c0f65aef999e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233288.exe

Filesize
540KB

MD5
7d586674121200257ab72e873e74137b

SHA1
8a248c496c62d1c517706422385dd187ffd7418f

SHA256
b2743c8d70677103a56dcf0cea5cd28b74dc4001c445f8d317077cd9783c6514

SHA512
e44b4419e62d2e5ce50f1985af7e7c82adac42e983ac4c681aae308600afe2c9d343251e9030189a325537b1044868f9784cb26a98c0cc010476c0f65aef999e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79492487.exe

Filesize
264KB

MD5
cc40bdf999b0ec5a7d68c1562f67f15c

SHA1
e92bb4d1506233ba3d42fafedb87a5462b19a912

SHA256
35ce24c4dc5b60f43f9f469496bbcd950cc6323a9ffe17a72664ef0858d000ec

SHA512
fc95c565e04f56d1ad2ca9f6e9f1a7a2685327fcf48aad0aa2e4512365d1e160cd124f84deed9222289eb48da1caca4b01dbe17c6daa3207dea8d1d311809a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79492487.exe

Filesize
264KB

MD5
cc40bdf999b0ec5a7d68c1562f67f15c

SHA1
e92bb4d1506233ba3d42fafedb87a5462b19a912

SHA256
35ce24c4dc5b60f43f9f469496bbcd950cc6323a9ffe17a72664ef0858d000ec

SHA512
fc95c565e04f56d1ad2ca9f6e9f1a7a2685327fcf48aad0aa2e4512365d1e160cd124f84deed9222289eb48da1caca4b01dbe17c6daa3207dea8d1d311809a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768277.exe

Filesize
348KB

MD5
510b84bd22a3726f21a0dbe32d253b04

SHA1
af626bcaa846dcb616f7cc09b1af2bcea3b51fb9

SHA256
2fb2b3acca03f918289cc0d6e251a546dbdfcd7c2c3008d534adf45abf160bf2

SHA512
18cef5278fdc5fe5e6816a0fb59d8b52a76e3e3f7b68b3921d7e74f12a8f8039f9266b0427ae1db51687190b0adad9bc908cac9f9f7d4f0221a457437deb19fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768277.exe

Filesize
348KB

MD5
510b84bd22a3726f21a0dbe32d253b04

SHA1
af626bcaa846dcb616f7cc09b1af2bcea3b51fb9

SHA256
2fb2b3acca03f918289cc0d6e251a546dbdfcd7c2c3008d534adf45abf160bf2

SHA512
18cef5278fdc5fe5e6816a0fb59d8b52a76e3e3f7b68b3921d7e74f12a8f8039f9266b0427ae1db51687190b0adad9bc908cac9f9f7d4f0221a457437deb19fc

Download Submit
memory/2016-227-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-986-0x0000000009CD0000-0x000000000A2E8000-memory.dmp

Filesize
6.1MB

Download
memory/2016-997-0x000000000BC80000-0x000000000BCD0000-memory.dmp

Filesize
320KB

Download
memory/2016-996-0x000000000B270000-0x000000000B79C000-memory.dmp

Filesize
5.2MB

Download
memory/2016-995-0x000000000B0A0000-0x000000000B262000-memory.dmp

Filesize
1.8MB

Download
memory/2016-994-0x000000000AF80000-0x000000000AF9E000-memory.dmp

Filesize
120KB

Download
memory/2016-993-0x000000000AEC0000-0x000000000AF36000-memory.dmp

Filesize
472KB

Download
memory/2016-992-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/2016-991-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/2016-990-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/2016-989-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/2016-988-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/2016-987-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/2016-225-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-223-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-221-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-219-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-217-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-215-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-213-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-211-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-209-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-190-0x0000000002C00000-0x0000000002C46000-memory.dmp

Filesize
280KB

Download
memory/2016-191-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/2016-193-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/2016-194-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-192-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-195-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/2016-197-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-199-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-203-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-205-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-201-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/2016-207-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/3500-1003-0x0000000000AB0000-0x0000000000AD8000-memory.dmp

Filesize
160KB

Download
memory/3500-1004-0x00000000078C0000-0x00000000078D0000-memory.dmp

Filesize
64KB

Download
memory/4760-173-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4760-177-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-183-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4760-182-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4760-180-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4760-179-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-172-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4760-150-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-155-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-175-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-184-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4760-151-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-163-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-169-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-167-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-165-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-171-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-161-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-159-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-157-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download
memory/4760-149-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/4760-148-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/4760-185-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4760-153-0x0000000004DB0000-0x0000000004DC3000-memory.dmp

Filesize
76KB

Download