ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355

Analysis

max time kernel
54s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26/04/2023, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe
Size

697KB
MD5

6efc55934592cb8a85fa3a83f993e28b
SHA1

6cee545cc11d14da88aefae0cde0ad44eaee2940
SHA256

ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355
SHA512

d21b01eb3020aae0fed567e1845ab88c521b54c8ed6df7823cb32198710f076605a7cf95958191e0c003f89e07a08e1249c560cf29490fe20f033410f4764a9f
SSDEEP

12288:ty90fnQ4MUmOE9EQxywvAj9ujjNNCaW3EwXldSVhhYWj57vlzO:ty/4xc9EQxyLYjBmZXlQnnfzO

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	69072912.exe

Executes dropped EXE 4 IoCs

pid	Process
1556	un039840.exe
2312	69072912.exe
1428	rk859349.exe
4052	si596767.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	69072912.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un039840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un039840.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2312	69072912.exe
2312	69072912.exe
1428	rk859349.exe
1428	rk859349.exe
4052	si596767.exe
4052	si596767.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	69072912.exe
Token: SeDebugPrivilege	1428	rk859349.exe
Token: SeDebugPrivilege	4052	si596767.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1556	1836	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	66
PID 1836 wrote to memory of 1556	1836	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	66
PID 1836 wrote to memory of 1556	1836	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	66
PID 1556 wrote to memory of 2312	1556	un039840.exe	67
PID 1556 wrote to memory of 2312	1556	un039840.exe	67
PID 1556 wrote to memory of 2312	1556	un039840.exe	67
PID 1556 wrote to memory of 1428	1556	un039840.exe	68
PID 1556 wrote to memory of 1428	1556	un039840.exe	68
PID 1556 wrote to memory of 1428	1556	un039840.exe	68
PID 1836 wrote to memory of 4052	1836	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	70
PID 1836 wrote to memory of 4052	1836	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	70
PID 1836 wrote to memory of 4052	1836	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	70

C:\Users\Admin\AppData\Local\Temp\ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe
"C:\Users\Admin\AppData\Local\Temp\ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si596767.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si596767.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si596767.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si596767.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe

Filesize
542KB

MD5
95de9bc57944caa7d11e546c1ca89d6b

SHA1
3f5de289e52313a924836e77a80b5f877d583b84

SHA256
02fa75eb5e34fc192926f82b85cc0b829fa58751cc5ea800df61285420d7178d

SHA512
63a25a1eca8b77a65ef789d0f5132798967d3be5d689b9094167036b7b0a7f0fa5326f46dbb28c1183aaba4a0b8d4c75fa44be9fa578ff415c9b78f1eb447246

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe

Filesize
542KB

MD5
95de9bc57944caa7d11e546c1ca89d6b

SHA1
3f5de289e52313a924836e77a80b5f877d583b84

SHA256
02fa75eb5e34fc192926f82b85cc0b829fa58751cc5ea800df61285420d7178d

SHA512
63a25a1eca8b77a65ef789d0f5132798967d3be5d689b9094167036b7b0a7f0fa5326f46dbb28c1183aaba4a0b8d4c75fa44be9fa578ff415c9b78f1eb447246

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe

Filesize
263KB

MD5
872e0454fee70310ccfe1b94b13cfa7b

SHA1
7a5ecac3fd09c5953ab3c00565eb44b88c52860f

SHA256
48db4f6ecbac38e315f4159056f5addf427f4769bc3f539f48721566ce56a4c8

SHA512
f84597d292e14a0ad8d968606096b23b12090c5af6dcdde451fe7962edc3a1dd791b64603f9a5206386919e548e4a984ae407512ca17144d3a501ba07f1ec208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe

Filesize
263KB

MD5
872e0454fee70310ccfe1b94b13cfa7b

SHA1
7a5ecac3fd09c5953ab3c00565eb44b88c52860f

SHA256
48db4f6ecbac38e315f4159056f5addf427f4769bc3f539f48721566ce56a4c8

SHA512
f84597d292e14a0ad8d968606096b23b12090c5af6dcdde451fe7962edc3a1dd791b64603f9a5206386919e548e4a984ae407512ca17144d3a501ba07f1ec208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe

Filesize
328KB

MD5
49413204f477a7b87e6ee8781d5bc523

SHA1
2aa8c3acc2bde76e60c55e44efe4acc3781ec519

SHA256
aa1c0631059ce7c8c6cdb17fd27fe38aae1c0f8aedffb4a9f9fc76c58bf7ac73

SHA512
249150fd49c26c124235c73b0b2e5eba9ecefd3a221b2bb91ad3fcc5e3472660434c64681fbd2484964d312fcfd0c67852b6c6f7994a92305e2697051420dbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe

Filesize
328KB

MD5
49413204f477a7b87e6ee8781d5bc523

SHA1
2aa8c3acc2bde76e60c55e44efe4acc3781ec519

SHA256
aa1c0631059ce7c8c6cdb17fd27fe38aae1c0f8aedffb4a9f9fc76c58bf7ac73

SHA512
249150fd49c26c124235c73b0b2e5eba9ecefd3a221b2bb91ad3fcc5e3472660434c64681fbd2484964d312fcfd0c67852b6c6f7994a92305e2697051420dbc3

Download Submit
memory/1428-248-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1428-979-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/1428-989-0x000000000B260000-0x000000000B78C000-memory.dmp

Filesize
5.2MB

Download
memory/1428-988-0x000000000B090000-0x000000000B252000-memory.dmp

Filesize
1.8MB

Download
memory/1428-987-0x000000000B020000-0x000000000B070000-memory.dmp

Filesize
320KB

Download
memory/1428-986-0x000000000AE80000-0x000000000AE9E000-memory.dmp

Filesize
120KB

Download
memory/1428-985-0x000000000ADD0000-0x000000000AE46000-memory.dmp

Filesize
472KB

Download
memory/1428-984-0x000000000AD30000-0x000000000ADC2000-memory.dmp

Filesize
584KB

Download
memory/1428-983-0x000000000A650000-0x000000000A6B6000-memory.dmp

Filesize
408KB

Download
memory/1428-982-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1428-981-0x000000000A3C0000-0x000000000A40B000-memory.dmp

Filesize
300KB

Download
memory/1428-980-0x000000000A340000-0x000000000A37E000-memory.dmp

Filesize
248KB

Download
memory/1428-198-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-978-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1428-977-0x0000000009C20000-0x000000000A226000-memory.dmp

Filesize
6.0MB

Download
memory/1428-244-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1428-247-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1428-243-0x0000000002BF0000-0x0000000002C36000-memory.dmp

Filesize
280KB

Download
memory/1428-214-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-212-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-210-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-208-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-206-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-179-0x0000000004C30000-0x0000000004C6C000-memory.dmp

Filesize
240KB

Download
memory/1428-180-0x0000000007110000-0x000000000714A000-memory.dmp

Filesize
232KB

Download
memory/1428-181-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-182-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-184-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-186-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-188-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-190-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-192-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-204-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-196-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-194-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-200-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/1428-202-0x0000000007110000-0x0000000007145000-memory.dmp

Filesize
212KB

Download
memory/2312-149-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-137-0x0000000004790000-0x00000000047AA000-memory.dmp

Filesize
104KB

Download
memory/2312-140-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2312-174-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2312-155-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-171-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2312-170-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2312-169-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-167-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-138-0x0000000007340000-0x000000000783E000-memory.dmp

Filesize
5.0MB

Download
memory/2312-165-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-163-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-139-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2312-161-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-172-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2312-159-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-153-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-151-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-157-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-147-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-145-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-143-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-142-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/2312-141-0x00000000048B0000-0x00000000048C8000-memory.dmp

Filesize
96KB

Download
memory/2312-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4052-996-0x00000000006A0000-0x00000000006C8000-memory.dmp

Filesize
160KB

Download
memory/4052-997-0x0000000007460000-0x00000000074AB000-memory.dmp

Filesize
300KB

Download
memory/4052-998-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download