903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5

Analysis

max time kernel
98s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe
Size

695KB
MD5

52f7a6a041eb915e90eaee2791eab06f
SHA1

a7cf771322287a3b0dc5673b5cfebf7bbd517085
SHA256

903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5
SHA512

083f140e55615279308bd395d545f1eb25c5d2e23a45256caf4c88775523157fb327206827f7708aa217acad44c94e885381c6030c919aa4c87d2c592cdbe255
SSDEEP

12288:ry90fstyu0xZWwpouqDGSx0QPXQ2ZRhuPHD0iDge7h8ht3C:ryisGpouyGSxJXhjuwre7h8htS

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	43599876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	43599876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	43599876.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	43599876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	43599876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	43599876.exe

Executes dropped EXE 4 IoCs

pid	Process
1148	un339815.exe
2632	43599876.exe
3656	rk292000.exe
3400	si262913.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	43599876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	43599876.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un339815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un339815.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
216	2632	WerFault.exe	85
3676	3656	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2632	43599876.exe
2632	43599876.exe
3656	rk292000.exe
3656	rk292000.exe
3400	si262913.exe
3400	si262913.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	43599876.exe
Token: SeDebugPrivilege	3656	rk292000.exe
Token: SeDebugPrivilege	3400	si262913.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1148	2932	903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe	84
PID 2932 wrote to memory of 1148	2932	903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe	84
PID 2932 wrote to memory of 1148	2932	903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe	84
PID 1148 wrote to memory of 2632	1148	un339815.exe	85
PID 1148 wrote to memory of 2632	1148	un339815.exe	85
PID 1148 wrote to memory of 2632	1148	un339815.exe	85
PID 1148 wrote to memory of 3656	1148	un339815.exe	92
PID 1148 wrote to memory of 3656	1148	un339815.exe	92
PID 1148 wrote to memory of 3656	1148	un339815.exe	92
PID 2932 wrote to memory of 3400	2932	903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe	95
PID 2932 wrote to memory of 3400	2932	903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe	95
PID 2932 wrote to memory of 3400	2932	903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe	95

C:\Users\Admin\AppData\Local\Temp\903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe
"C:\Users\Admin\AppData\Local\Temp\903d2749b8ecb91748bc906279cacc9b24a49234731295a6026c4606b32698f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un339815.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un339815.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43599876.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43599876.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 1080
      4⤵
      Program crash
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk292000.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk292000.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 2032
      4⤵
      Program crash
      PID:3676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si262913.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si262913.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2632 -ip 2632
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3656 -ip 3656
1⤵
PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si262913.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si262913.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un339815.exe

Filesize
541KB

MD5
4ae487402c91e99905cb9c298179486c

SHA1
8f66acb40fa972531f7c8babf6d1cb641d7e34f1

SHA256
a9bf28cd17c042b296905056593090b91539e4cb91310d305f78f784046684b7

SHA512
8664f8ab9dd383893d571bb18d42733ba2f12354a8e8b4b1014628dce8e045c42dfc8f9004ef37d6861c8c4ec25bcb4c952a92d96928e13121f6bcd205d55820

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un339815.exe

Filesize
541KB

MD5
4ae487402c91e99905cb9c298179486c

SHA1
8f66acb40fa972531f7c8babf6d1cb641d7e34f1

SHA256
a9bf28cd17c042b296905056593090b91539e4cb91310d305f78f784046684b7

SHA512
8664f8ab9dd383893d571bb18d42733ba2f12354a8e8b4b1014628dce8e045c42dfc8f9004ef37d6861c8c4ec25bcb4c952a92d96928e13121f6bcd205d55820

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43599876.exe

Filesize
264KB

MD5
795d974221a84497e1c760e737490afb

SHA1
615d2d6d38eb72483312f0edd5db82cc8612e411

SHA256
e85c6bd981a2f27fc848ede81f30e68e83d9d68175e6badf70dcd6db2ff97623

SHA512
b857d6adb6cd4e73ee7cdadf925b5e6d08ca8c84c09834ab96b056fa4c63b015df601db5a09a81912d28d6bb111917f153a1a591957a951df036803f73483249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43599876.exe

Filesize
264KB

MD5
795d974221a84497e1c760e737490afb

SHA1
615d2d6d38eb72483312f0edd5db82cc8612e411

SHA256
e85c6bd981a2f27fc848ede81f30e68e83d9d68175e6badf70dcd6db2ff97623

SHA512
b857d6adb6cd4e73ee7cdadf925b5e6d08ca8c84c09834ab96b056fa4c63b015df601db5a09a81912d28d6bb111917f153a1a591957a951df036803f73483249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk292000.exe

Filesize
348KB

MD5
bbc748db7374bb53362a0a277aa92c2b

SHA1
60bfa482cceb2263343d4fc8f9384800a8c16e7e

SHA256
ef324b24f8d36b6e81925364e6d70e45009ec5f364c05eecd244f4031cd4679b

SHA512
db9c6c0d2d13ff03de113f65afe8dc72b60b318d9d21900c5cf9470804f78f210065afd2e3509df06e59cbc70bf731ef85223adb6ac572503640c3f153a3e98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk292000.exe

Filesize
348KB

MD5
bbc748db7374bb53362a0a277aa92c2b

SHA1
60bfa482cceb2263343d4fc8f9384800a8c16e7e

SHA256
ef324b24f8d36b6e81925364e6d70e45009ec5f364c05eecd244f4031cd4679b

SHA512
db9c6c0d2d13ff03de113f65afe8dc72b60b318d9d21900c5cf9470804f78f210065afd2e3509df06e59cbc70bf731ef85223adb6ac572503640c3f153a3e98a

Download Submit
memory/2632-158-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-168-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-148-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/2632-151-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2632-152-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2632-153-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-154-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-156-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-149-0x00000000071E0000-0x0000000007784000-memory.dmp

Filesize
5.6MB

Download
memory/2632-160-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-162-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-164-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-166-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-150-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2632-170-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-172-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-174-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-176-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-178-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-180-0x0000000004C20000-0x0000000004C33000-memory.dmp

Filesize
76KB

Download
memory/2632-181-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2632-182-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2632-183-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2632-184-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2632-186-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3400-1005-0x0000000000DC0000-0x0000000000DE8000-memory.dmp

Filesize
160KB

Download
memory/3400-1006-0x0000000007BF0000-0x0000000007C00000-memory.dmp

Filesize
64KB

Download
memory/3656-191-0x0000000002CD0000-0x0000000002D16000-memory.dmp

Filesize
280KB

Download
memory/3656-193-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3656-195-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-196-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-198-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-194-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3656-200-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-202-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-204-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-206-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-208-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-210-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-212-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-214-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-216-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-218-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-220-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-222-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-224-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-226-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-228-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/3656-987-0x0000000009D00000-0x000000000A318000-memory.dmp

Filesize
6.1MB

Download
memory/3656-988-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/3656-989-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/3656-990-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/3656-991-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3656-992-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/3656-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/3656-994-0x000000000AEC0000-0x000000000AF36000-memory.dmp

Filesize
472KB

Download
memory/3656-995-0x000000000AF80000-0x000000000AF9E000-memory.dmp

Filesize
120KB

Download
memory/3656-192-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/3656-996-0x000000000B020000-0x000000000B070000-memory.dmp

Filesize
320KB

Download
memory/3656-997-0x000000000B1A0000-0x000000000B362000-memory.dmp

Filesize
1.8MB

Download
memory/3656-998-0x000000000B380000-0x000000000B8AC000-memory.dmp

Filesize
5.2MB

Download