6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc

Analysis

max time kernel
85s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe
Size

696KB
MD5

601d03c429188518122c07c29ae0f737
SHA1

cd394adac9b2dab5b4d18f858517ee5cbef53b3a
SHA256

6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc
SHA512

c374fba5bdf0743e929c93c4a1ef84aab1cbb6237ab568df7353c5ee5c3eaec185f0616225c542622feac672d5b64419539d7574626f5967948f2146d483493d
SSDEEP

12288:qy90qQT6n2AvNzQnPzmGhYsAxyuvAjj2jx7fWJEttdUlMwgTphUg:qy1CUzQnPiGhlAxypCjVeMtaPQphUg

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	22330802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	22330802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	22330802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	22330802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	22330802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	22330802.exe

Executes dropped EXE 4 IoCs

pid	Process
2904	un275168.exe
3940	22330802.exe
648	rk456808.exe
2520	si332601.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	22330802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	22330802.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un275168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un275168.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2892	3940	WerFault.exe	87
3604	648	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3940	22330802.exe
3940	22330802.exe
648	rk456808.exe
648	rk456808.exe
2520	si332601.exe
2520	si332601.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	22330802.exe
Token: SeDebugPrivilege	648	rk456808.exe
Token: SeDebugPrivilege	2520	si332601.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2904	392	6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe	86
PID 392 wrote to memory of 2904	392	6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe	86
PID 392 wrote to memory of 2904	392	6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe	86
PID 2904 wrote to memory of 3940	2904	un275168.exe	87
PID 2904 wrote to memory of 3940	2904	un275168.exe	87
PID 2904 wrote to memory of 3940	2904	un275168.exe	87
PID 2904 wrote to memory of 648	2904	un275168.exe	93
PID 2904 wrote to memory of 648	2904	un275168.exe	93
PID 2904 wrote to memory of 648	2904	un275168.exe	93
PID 392 wrote to memory of 2520	392	6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe	96
PID 392 wrote to memory of 2520	392	6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe	96
PID 392 wrote to memory of 2520	392	6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe	96

C:\Users\Admin\AppData\Local\Temp\6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe
"C:\Users\Admin\AppData\Local\Temp\6f74e2eebf76975fe19c69bae2a18a1aa87f48e4f5cc97c08ae7f4fc2a751dfc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275168.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275168.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\22330802.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\22330802.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1080
      4⤵
      Program crash
      PID:2892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk456808.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk456808.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1328
      4⤵
      Program crash
      PID:3604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si332601.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si332601.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3940 -ip 3940
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 648 -ip 648
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si332601.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si332601.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275168.exe

Filesize
542KB

MD5
36c936ffbcfc80289dcc0bbba4eb4103

SHA1
800ce28ccca455b11be1647fb902aba1045f180c

SHA256
22a0e4a71aa7d627866a2e1f16f9f65905ee41b7eac8cace835dd432c0f65b19

SHA512
0d4e9d3924050283fb4a1649a373531710a304f7a9e5074f5465e05c86b87a4ba334977ffbf118bbe33961a7044a0e3dba2a17ee3184f9008f4af6d195582945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275168.exe

Filesize
542KB

MD5
36c936ffbcfc80289dcc0bbba4eb4103

SHA1
800ce28ccca455b11be1647fb902aba1045f180c

SHA256
22a0e4a71aa7d627866a2e1f16f9f65905ee41b7eac8cace835dd432c0f65b19

SHA512
0d4e9d3924050283fb4a1649a373531710a304f7a9e5074f5465e05c86b87a4ba334977ffbf118bbe33961a7044a0e3dba2a17ee3184f9008f4af6d195582945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\22330802.exe

Filesize
263KB

MD5
5e07abeb172a62a4bea012989fe7f1fb

SHA1
ed76eabf37d2d6fd7fb7243fcd17a8c91c1ababc

SHA256
763f1ad31144feeac20b844a75e35311da3bf086b74b8b834a8b37a645982031

SHA512
bcbe9ce6fb528c9d1ad95efc14587ab791e34997e9e93217453a8b617fa63389d2646a02b4ba57dc19f24bf7f18128bd159c527ab7981c9e64dae0bbe599f5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\22330802.exe

Filesize
263KB

MD5
5e07abeb172a62a4bea012989fe7f1fb

SHA1
ed76eabf37d2d6fd7fb7243fcd17a8c91c1ababc

SHA256
763f1ad31144feeac20b844a75e35311da3bf086b74b8b834a8b37a645982031

SHA512
bcbe9ce6fb528c9d1ad95efc14587ab791e34997e9e93217453a8b617fa63389d2646a02b4ba57dc19f24bf7f18128bd159c527ab7981c9e64dae0bbe599f5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk456808.exe

Filesize
328KB

MD5
f5df550a4bf922d5699732e6733b39af

SHA1
bde3e3ea65c6e349c11d29444e434d22161845a6

SHA256
832658a60de623f7f9cb0dbadb9c157d06c250fbf32d60c4cf66992d58e54138

SHA512
b898c7ac0b494795e7f7c897857be8c0b51b017dff1ec91659a673a1e001514e8b0c54f8f80664012099a6b293d8f7f2751dbe6fd8926bc1ed24ad598f150185

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk456808.exe

Filesize
328KB

MD5
f5df550a4bf922d5699732e6733b39af

SHA1
bde3e3ea65c6e349c11d29444e434d22161845a6

SHA256
832658a60de623f7f9cb0dbadb9c157d06c250fbf32d60c4cf66992d58e54138

SHA512
b898c7ac0b494795e7f7c897857be8c0b51b017dff1ec91659a673a1e001514e8b0c54f8f80664012099a6b293d8f7f2751dbe6fd8926bc1ed24ad598f150185

Download Submit
memory/648-221-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/648-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/648-998-0x000000000BA50000-0x000000000BAA0000-memory.dmp

Filesize
320KB

Download
memory/648-997-0x000000000B7C0000-0x000000000B7DE000-memory.dmp

Filesize
120KB

Download
memory/648-996-0x000000000B180000-0x000000000B6AC000-memory.dmp

Filesize
5.2MB

Download
memory/648-995-0x000000000AFB0000-0x000000000B172000-memory.dmp

Filesize
1.8MB

Download
memory/648-994-0x000000000AED0000-0x000000000AF46000-memory.dmp

Filesize
472KB

Download
memory/648-993-0x000000000AE00000-0x000000000AE92000-memory.dmp

Filesize
584KB

Download
memory/648-992-0x000000000A740000-0x000000000A7A6000-memory.dmp

Filesize
408KB

Download
memory/648-991-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/648-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/648-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/648-987-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

Filesize
6.1MB

Download
memory/648-228-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-223-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/648-225-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/648-226-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-222-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-220-0x0000000004810000-0x0000000004856000-memory.dmp

Filesize
280KB

Download
memory/648-212-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-218-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-214-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-216-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-191-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-194-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-192-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-196-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-200-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-198-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-202-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-206-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-204-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-208-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/648-210-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2520-1005-0x0000000000650000-0x0000000000678000-memory.dmp

Filesize
160KB

Download
memory/2520-1006-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/3940-155-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-149-0x00000000070F0000-0x0000000007694000-memory.dmp

Filesize
5.6MB

Download
memory/3940-184-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3940-183-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3940-181-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/3940-180-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3940-179-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3940-150-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-178-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3940-177-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-151-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-175-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-185-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3940-169-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-173-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-167-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-163-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-165-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-161-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-159-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-157-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-171-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download
memory/3940-148-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/3940-186-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/3940-153-0x00000000076E0000-0x00000000076F3000-memory.dmp

Filesize
76KB

Download