7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3

Analysis

max time kernel
58s
max time network
61s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-04-2023 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe
Size

687KB
MD5

ad86245291259bf632718ee00a0422c8
SHA1

0e469535ddf38379db22b6bd807ba0b1c1e5c6e4
SHA256

7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3
SHA512

7a9e73d450d1c2e11baf46468fdb08cf9302ea194aec65a25cf492d0f08e579f50be04bf71b0f1e03c5e9a86dff5fc4f2f862d532840b112436454d4e0009ec3
SSDEEP

12288:xy90VKN25aKpQzKdHNSLFmyCSarFzltzXsahuYXCV5qs+4/5S3bYkKo+y:xy60KSmHNIASMPF8KuqCrqm5WkNBy

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	39034414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	39034414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	39034414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	39034414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	39034414.exe

Executes dropped EXE 4 IoCs

pid	Process
4240	un405843.exe
1788	39034414.exe
4920	rk968759.exe
4056	si727066.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	39034414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	39034414.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un405843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un405843.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1788	39034414.exe
1788	39034414.exe
4920	rk968759.exe
4920	rk968759.exe
4056	si727066.exe
4056	si727066.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	39034414.exe
Token: SeDebugPrivilege	4920	rk968759.exe
Token: SeDebugPrivilege	4056	si727066.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4240	4220	7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe	67
PID 4220 wrote to memory of 4240	4220	7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe	67
PID 4220 wrote to memory of 4240	4220	7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe	67
PID 4240 wrote to memory of 1788	4240	un405843.exe	68
PID 4240 wrote to memory of 1788	4240	un405843.exe	68
PID 4240 wrote to memory of 1788	4240	un405843.exe	68
PID 4240 wrote to memory of 4920	4240	un405843.exe	69
PID 4240 wrote to memory of 4920	4240	un405843.exe	69
PID 4240 wrote to memory of 4920	4240	un405843.exe	69
PID 4220 wrote to memory of 4056	4220	7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe	71
PID 4220 wrote to memory of 4056	4220	7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe	71
PID 4220 wrote to memory of 4056	4220	7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe	71

C:\Users\Admin\AppData\Local\Temp\7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe
"C:\Users\Admin\AppData\Local\Temp\7eb5e5da3a48d3469d2279e5e24c3d282e051a47d8d363b97482795c1c2e15e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405843.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405843.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39034414.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39034414.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk968759.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk968759.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si727066.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si727066.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si727066.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si727066.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405843.exe

Filesize
533KB

MD5
3ca2c8d8ee2210b973a393b7d396d5be

SHA1
76c9fe5d479998080e55551b1f722f6fac56f0b6

SHA256
a8e8e006511a90d7d33a0f0dc3c28021c24d209377360584cf92943c3008e400

SHA512
2465d1686e10625f1f1e9decce9ffc9bcd0db585ebb2cc3f0fd3ec13bb1e64e80fe0cbfd93fd0cedafe8f6e5e5de39e2f513adff9b24d4671da8871c78dfa701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405843.exe

Filesize
533KB

MD5
3ca2c8d8ee2210b973a393b7d396d5be

SHA1
76c9fe5d479998080e55551b1f722f6fac56f0b6

SHA256
a8e8e006511a90d7d33a0f0dc3c28021c24d209377360584cf92943c3008e400

SHA512
2465d1686e10625f1f1e9decce9ffc9bcd0db585ebb2cc3f0fd3ec13bb1e64e80fe0cbfd93fd0cedafe8f6e5e5de39e2f513adff9b24d4671da8871c78dfa701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39034414.exe

Filesize
249KB

MD5
5347b45e440bdae3ebbc593f32d34136

SHA1
fc4a57519a6327c2ca3b4f2b88dba08faa18451a

SHA256
12e79c9b8ba4274252b5bd016f78a11544ad62a48e66c175328cedc9ec838894

SHA512
74255ed14575e9e3462e78a1c8d72ed2bf509e42debce58396ca8efd49234128c55e7b49b5d3107ad632c08ec7fd3517d83b0276e3a2acd95862ef433337dadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39034414.exe

Filesize
249KB

MD5
5347b45e440bdae3ebbc593f32d34136

SHA1
fc4a57519a6327c2ca3b4f2b88dba08faa18451a

SHA256
12e79c9b8ba4274252b5bd016f78a11544ad62a48e66c175328cedc9ec838894

SHA512
74255ed14575e9e3462e78a1c8d72ed2bf509e42debce58396ca8efd49234128c55e7b49b5d3107ad632c08ec7fd3517d83b0276e3a2acd95862ef433337dadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk968759.exe

Filesize
332KB

MD5
a7c66263a284568d153c356bf147fec6

SHA1
38df7e36d0fb25308bc0f5ec0ab3aaefe93ec023

SHA256
ac3a0d336a2e3bb9f99b04e1ce9ebc91db98080607281ba654da0d89c37f69d5

SHA512
6044e58efda72b7fea297ef396c1165618ffcd4abca42af998e622c77a5d91c343af2b7c3778db12fd918b67391089513783e6f0cd79b552b456e73af01920b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk968759.exe

Filesize
332KB

MD5
a7c66263a284568d153c356bf147fec6

SHA1
38df7e36d0fb25308bc0f5ec0ab3aaefe93ec023

SHA256
ac3a0d336a2e3bb9f99b04e1ce9ebc91db98080607281ba654da0d89c37f69d5

SHA512
6044e58efda72b7fea297ef396c1165618ffcd4abca42af998e622c77a5d91c343af2b7c3778db12fd918b67391089513783e6f0cd79b552b456e73af01920b8

Download Submit
memory/1788-143-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-153-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-133-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/1788-134-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/1788-136-0x0000000004B90000-0x0000000004BA8000-memory.dmp

Filesize
96KB

Download
memory/1788-135-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/1788-137-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/1788-138-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-139-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-141-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-131-0x0000000002F90000-0x0000000002FAA000-memory.dmp

Filesize
104KB

Download
memory/1788-145-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-147-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-149-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-151-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-132-0x0000000007400000-0x00000000078FE000-memory.dmp

Filesize
5.0MB

Download
memory/1788-155-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-157-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-159-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-161-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-163-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-165-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/1788-166-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/1788-167-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/1788-168-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/1788-169-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/1788-171-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/4056-993-0x0000000000A10000-0x0000000000A38000-memory.dmp

Filesize
160KB

Download
memory/4056-994-0x00000000077A0000-0x00000000077B0000-memory.dmp

Filesize
64KB

Download
memory/4056-995-0x00000000077B0000-0x00000000077FB000-memory.dmp

Filesize
300KB

Download
memory/4920-176-0x0000000004D80000-0x0000000004DBC000-memory.dmp

Filesize
240KB

Download
memory/4920-179-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-181-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-183-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-185-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-187-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-189-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-191-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-193-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-195-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-197-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-199-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-207-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-205-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-203-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-201-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-209-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-211-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-405-0x0000000002CE0000-0x0000000002D26000-memory.dmp

Filesize
280KB

Download
memory/4920-407-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/4920-409-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/4920-410-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/4920-974-0x000000000A1C0000-0x000000000A7C6000-memory.dmp

Filesize
6.0MB

Download
memory/4920-975-0x0000000009BE0000-0x0000000009BF2000-memory.dmp

Filesize
72KB

Download
memory/4920-976-0x0000000009C10000-0x0000000009D1A000-memory.dmp

Filesize
1.0MB

Download
memory/4920-977-0x0000000009D30000-0x0000000009D6E000-memory.dmp

Filesize
248KB

Download
memory/4920-978-0x0000000009DB0000-0x0000000009DFB000-memory.dmp

Filesize
300KB

Download
memory/4920-979-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/4920-980-0x000000000A040000-0x000000000A0A6000-memory.dmp

Filesize
408KB

Download
memory/4920-981-0x000000000AD30000-0x000000000ADC2000-memory.dmp

Filesize
584KB

Download
memory/4920-982-0x000000000ADD0000-0x000000000AE46000-memory.dmp

Filesize
472KB

Download
memory/4920-983-0x000000000AE70000-0x000000000AE8E000-memory.dmp

Filesize
120KB

Download
memory/4920-178-0x0000000007160000-0x0000000007195000-memory.dmp

Filesize
212KB

Download
memory/4920-177-0x0000000007160000-0x000000000719A000-memory.dmp

Filesize
232KB

Download
memory/4920-984-0x000000000B040000-0x000000000B202000-memory.dmp

Filesize
1.8MB

Download
memory/4920-985-0x000000000B210000-0x000000000B73C000-memory.dmp

Filesize
5.2MB

Download
memory/4920-986-0x0000000004C00000-0x0000000004C50000-memory.dmp

Filesize
320KB

Download