14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f

Analysis

max time kernel
91s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe
Size

695KB
MD5

e8bfb84daa6546c7bfd202c4749f6b00
SHA1

9ac08258a6492a30881d166744a2d185c6b551c4
SHA256

14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f
SHA512

9cc6597e7d7b87ecde443063230022bbf2b71c7e251d11be287982d27d2b35e514a05228a74cfdb00ab83bb1740b73f39b47e081dec43ba780f2e99a6f012bd8
SSDEEP

12288:Ly90C5vk34FXbH0BomiVqDG2XVKKvrMtQKZRhuoHP0iDVe7UN:Ly5A+X7gniVyG2XVKKvgt9jh8+e7UN

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	95969111.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	95969111.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	95969111.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	95969111.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	95969111.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	95969111.exe

Executes dropped EXE 4 IoCs

pid	Process
2860	un946354.exe
3120	95969111.exe
4904	rk176064.exe
4368	si844105.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	95969111.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	95969111.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un946354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un946354.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1412	3120	WerFault.exe	85
2312	4904	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3120	95969111.exe
3120	95969111.exe
4904	rk176064.exe
4904	rk176064.exe
4368	si844105.exe
4368	si844105.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	95969111.exe
Token: SeDebugPrivilege	4904	rk176064.exe
Token: SeDebugPrivilege	4368	si844105.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2860	2796	14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe	84
PID 2796 wrote to memory of 2860	2796	14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe	84
PID 2796 wrote to memory of 2860	2796	14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe	84
PID 2860 wrote to memory of 3120	2860	un946354.exe	85
PID 2860 wrote to memory of 3120	2860	un946354.exe	85
PID 2860 wrote to memory of 3120	2860	un946354.exe	85
PID 2860 wrote to memory of 4904	2860	un946354.exe	94
PID 2860 wrote to memory of 4904	2860	un946354.exe	94
PID 2860 wrote to memory of 4904	2860	un946354.exe	94
PID 2796 wrote to memory of 4368	2796	14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe	99
PID 2796 wrote to memory of 4368	2796	14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe	99
PID 2796 wrote to memory of 4368	2796	14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe	99

C:\Users\Admin\AppData\Local\Temp\14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe
"C:\Users\Admin\AppData\Local\Temp\14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946354.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946354.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95969111.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95969111.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1080
      4⤵
      Program crash
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk176064.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk176064.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1956
      4⤵
      Program crash
      PID:2312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si844105.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si844105.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3120 -ip 3120
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4904 -ip 4904
1⤵
PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si844105.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si844105.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946354.exe

Filesize
541KB

MD5
84aad916c6045af4d5420a5d0a393dde

SHA1
ff425f93a1c51b5e12f6c50ca8fdfef3ff0ba9a2

SHA256
2a4a89f62149b01b8238ab3c65a99469a6488de58481c2d18040a0fe23e45c26

SHA512
0aceefb775855ee1fe4adc516eb9da6e76dba890bb4f0f18aadc3f050644cad1c8559d94d41ca212c93f4fbe21c003c47e1d9599ddcbef7ecd14aa0ad1df8ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946354.exe

Filesize
541KB

MD5
84aad916c6045af4d5420a5d0a393dde

SHA1
ff425f93a1c51b5e12f6c50ca8fdfef3ff0ba9a2

SHA256
2a4a89f62149b01b8238ab3c65a99469a6488de58481c2d18040a0fe23e45c26

SHA512
0aceefb775855ee1fe4adc516eb9da6e76dba890bb4f0f18aadc3f050644cad1c8559d94d41ca212c93f4fbe21c003c47e1d9599ddcbef7ecd14aa0ad1df8ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95969111.exe

Filesize
264KB

MD5
b6ca2877de211c35cfa0cfaf7ec1b840

SHA1
44f3fd8328d6da5d32cf2ade2711effb052fa0af

SHA256
0f14ea84020d97c5393f4a5519de701884f9e5c37522b53170c938f0c73aaa56

SHA512
506e80eba3f86002b2536067876cff78badd125902dccc456e7fd75f8c343553ca471c8def5fed8da7a516275f6c197b7c0099f6c118073db198758a04180312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95969111.exe

Filesize
264KB

MD5
b6ca2877de211c35cfa0cfaf7ec1b840

SHA1
44f3fd8328d6da5d32cf2ade2711effb052fa0af

SHA256
0f14ea84020d97c5393f4a5519de701884f9e5c37522b53170c938f0c73aaa56

SHA512
506e80eba3f86002b2536067876cff78badd125902dccc456e7fd75f8c343553ca471c8def5fed8da7a516275f6c197b7c0099f6c118073db198758a04180312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk176064.exe

Filesize
348KB

MD5
7fb8c98aebdaa0edbc1a65b603cb54c9

SHA1
09073f1fe40b15624c0a6858642f9b4cf4d6b539

SHA256
147dec51939a499ff1f1e641f70342e95a2f192034417fdc9837e2b2bede37a1

SHA512
47c188197adb443988c80b95c0abdf3b44d46952d16e7da9516aace10e4dd6ce7a248e691546550ac4f8d9906c7f380da4c55e8640974c45c182b026441f6288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk176064.exe

Filesize
348KB

MD5
7fb8c98aebdaa0edbc1a65b603cb54c9

SHA1
09073f1fe40b15624c0a6858642f9b4cf4d6b539

SHA256
147dec51939a499ff1f1e641f70342e95a2f192034417fdc9837e2b2bede37a1

SHA512
47c188197adb443988c80b95c0abdf3b44d46952d16e7da9516aace10e4dd6ce7a248e691546550ac4f8d9906c7f380da4c55e8640974c45c182b026441f6288

Download Submit
memory/3120-148-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

Filesize
180KB

Download
memory/3120-149-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/3120-150-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/3120-151-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/3120-152-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/3120-153-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-154-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-156-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-158-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-160-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-162-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-164-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-166-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-168-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-170-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-172-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-174-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-176-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-178-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-180-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3120-181-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3120-182-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/3120-184-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/3120-183-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/3120-186-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4368-1008-0x0000000000D50000-0x0000000000D78000-memory.dmp

Filesize
160KB

Download
memory/4368-1009-0x0000000007DD0000-0x0000000007DE0000-memory.dmp

Filesize
64KB

Download
memory/4904-194-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-226-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/4904-196-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-198-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-200-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-202-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-204-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-206-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-208-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-210-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-212-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-214-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-216-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-218-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-222-0x0000000002C00000-0x0000000002C46000-memory.dmp

Filesize
280KB

Download
memory/4904-220-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-224-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/4904-227-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-228-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/4904-192-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-223-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-987-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/4904-988-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/4904-989-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/4904-990-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/4904-991-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/4904-992-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/4904-993-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/4904-994-0x000000000AEE0000-0x000000000AF56000-memory.dmp

Filesize
472KB

Download
memory/4904-995-0x000000000AFC0000-0x000000000B182000-memory.dmp

Filesize
1.8MB

Download
memory/4904-996-0x000000000B190000-0x000000000B6BC000-memory.dmp

Filesize
5.2MB

Download
memory/4904-997-0x000000000B7D0000-0x000000000B7EE000-memory.dmp

Filesize
120KB

Download
memory/4904-999-0x00000000049E0000-0x0000000004A30000-memory.dmp

Filesize
320KB

Download
memory/4904-191-0x0000000007770000-0x00000000077A5000-memory.dmp

Filesize
212KB

Download
memory/4904-1001-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/4904-1003-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/4904-1002-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download