c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e

Analysis

max time kernel
83s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe
Size

691KB
MD5

b57544bb18cce7544f83a57edcbb725c
SHA1

f0f9af56bcf1544abdff515c6616ab6e81b9d4f0
SHA256

c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e
SHA512

c83211779184e7093e269f0671097080da904d452ea6376bba6c6a261261165292b09e01ebecf8fb400c20a82fef15750b2e3a5e3da6697e803e0c06ea80cf04
SSDEEP

12288:Ly90o+rVj07zIpZSeju4jnFC+Me2e7S/CANBOL46BBlw:LykYzIpUsux+32+ANslBI

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	92201628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	92201628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	92201628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	92201628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	92201628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	92201628.exe

Executes dropped EXE 5 IoCs

pid	Process
3796	un209235.exe
2408	92201628.exe
3896	rk115076.exe
4420	rk115076.exe
1608	si107749.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	92201628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	92201628.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un209235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un209235.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 4420	3896	rk115076.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	2408	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2408	92201628.exe
2408	92201628.exe
1608	si107749.exe
1608	si107749.exe
4420	rk115076.exe
4420	rk115076.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	92201628.exe
Token: SeDebugPrivilege	4420	rk115076.exe
Token: SeDebugPrivilege	1608	si107749.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3796	1188	c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe	81
PID 1188 wrote to memory of 3796	1188	c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe	81
PID 1188 wrote to memory of 3796	1188	c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe	81
PID 3796 wrote to memory of 2408	3796	un209235.exe	82
PID 3796 wrote to memory of 2408	3796	un209235.exe	82
PID 3796 wrote to memory of 2408	3796	un209235.exe	82
PID 3796 wrote to memory of 3896	3796	un209235.exe	86
PID 3796 wrote to memory of 3896	3796	un209235.exe	86
PID 3796 wrote to memory of 3896	3796	un209235.exe	86
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 3896 wrote to memory of 4420	3896	rk115076.exe	87
PID 1188 wrote to memory of 1608	1188	c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe	88
PID 1188 wrote to memory of 1608	1188	c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe	88
PID 1188 wrote to memory of 1608	1188	c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe	88

C:\Users\Admin\AppData\Local\Temp\c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe
"C:\Users\Admin\AppData\Local\Temp\c4fc56b32007b5f825312b644829e7f9f0598ac6d3515b1699978192d3dc0e1e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209235.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209235.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92201628.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92201628.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1084
      4⤵
      Program crash
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk115076.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk115076.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk115076.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk115076.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si107749.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si107749.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 2200 -i 2200 -h 460 -j 428 -s 456 -d 2476
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2408 -ip 2408
1⤵
PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si107749.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si107749.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209235.exe

Filesize
537KB

MD5
c11bb509ca2e370f806f051f14a7afd3

SHA1
592e7f315b18f4f23d31e52eb8cae44aba804fb4

SHA256
790327f6a914530b8964e6b686327f0e07383ee155eb8a8101ca1e64c86e0787

SHA512
c25049211b11a5ce0de4a39b539004193373225225e8e9c8c11fb58b4becf7e863cfcf528c9de44d622fde44e681be4399b1036d601aa4bdc6d93abf134504b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209235.exe

Filesize
537KB

MD5
c11bb509ca2e370f806f051f14a7afd3

SHA1
592e7f315b18f4f23d31e52eb8cae44aba804fb4

SHA256
790327f6a914530b8964e6b686327f0e07383ee155eb8a8101ca1e64c86e0787

SHA512
c25049211b11a5ce0de4a39b539004193373225225e8e9c8c11fb58b4becf7e863cfcf528c9de44d622fde44e681be4399b1036d601aa4bdc6d93abf134504b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92201628.exe

Filesize
259KB

MD5
730e0fc57749788a212073782f40b025

SHA1
c85e76fac05a7bef25fee722c5c9d94ff301d1ec

SHA256
123d39c21c7b7e94f424b255c16a8e3266b494213b4a301fa558773a29f5fd56

SHA512
8dde3d149be211e947dc43d31f0c10c49c7b444a897b1a633b5fa8ace20e5eb76a8711be44a5d25f507dea0ade4f793231371191332c8e5a68754d9a116d9424

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92201628.exe

Filesize
259KB

MD5
730e0fc57749788a212073782f40b025

SHA1
c85e76fac05a7bef25fee722c5c9d94ff301d1ec

SHA256
123d39c21c7b7e94f424b255c16a8e3266b494213b4a301fa558773a29f5fd56

SHA512
8dde3d149be211e947dc43d31f0c10c49c7b444a897b1a633b5fa8ace20e5eb76a8711be44a5d25f507dea0ade4f793231371191332c8e5a68754d9a116d9424

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk115076.exe

Filesize
342KB

MD5
458dd956cedf6983ed73033a080db879

SHA1
53526c259cdef3d6bf467c52c6b0740fffd909be

SHA256
17f4cc59b54a1c6bd59d34e0ca669b65ff4a79c3f1100b16b6080f5b9a6d213f

SHA512
b7fc72bc1a470e19a54f4d8899441485864a37efe1671352127e8fcafc39f59a936b3acd75ab3e110c10dce97bdd54e386b33dae167de7119d5e00323916fa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk115076.exe

Filesize
342KB

MD5
458dd956cedf6983ed73033a080db879

SHA1
53526c259cdef3d6bf467c52c6b0740fffd909be

SHA256
17f4cc59b54a1c6bd59d34e0ca669b65ff4a79c3f1100b16b6080f5b9a6d213f

SHA512
b7fc72bc1a470e19a54f4d8899441485864a37efe1671352127e8fcafc39f59a936b3acd75ab3e110c10dce97bdd54e386b33dae167de7119d5e00323916fa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk115076.exe

Filesize
342KB

MD5
458dd956cedf6983ed73033a080db879

SHA1
53526c259cdef3d6bf467c52c6b0740fffd909be

SHA256
17f4cc59b54a1c6bd59d34e0ca669b65ff4a79c3f1100b16b6080f5b9a6d213f

SHA512
b7fc72bc1a470e19a54f4d8899441485864a37efe1671352127e8fcafc39f59a936b3acd75ab3e110c10dce97bdd54e386b33dae167de7119d5e00323916fa85

Download Submit
memory/1608-395-0x0000000007980000-0x00000000079E6000-memory.dmp

Filesize
408KB

Download
memory/1608-487-0x0000000008510000-0x00000000085A2000-memory.dmp

Filesize
584KB

Download
memory/1608-252-0x0000000007900000-0x0000000007910000-memory.dmp

Filesize
64KB

Download
memory/1608-215-0x00000000075D0000-0x000000000760C000-memory.dmp

Filesize
240KB

Download
memory/1608-212-0x00000000076A0000-0x00000000077AA000-memory.dmp

Filesize
1.0MB

Download
memory/1608-209-0x0000000007570000-0x0000000007582000-memory.dmp

Filesize
72KB

Download
memory/1608-205-0x0000000007B10000-0x0000000008128000-memory.dmp

Filesize
6.1MB

Download
memory/1608-579-0x0000000008630000-0x00000000086A6000-memory.dmp

Filesize
472KB

Download
memory/1608-200-0x0000000000860000-0x0000000000888000-memory.dmp

Filesize
160KB

Download
memory/1608-597-0x0000000008F90000-0x0000000009152000-memory.dmp

Filesize
1.8MB

Download
memory/1608-604-0x0000000009690000-0x0000000009BBC000-memory.dmp

Filesize
5.2MB

Download
memory/1608-614-0x0000000008730000-0x000000000874E000-memory.dmp

Filesize
120KB

Download
memory/1608-1008-0x00000000087F0000-0x0000000008840000-memory.dmp

Filesize
320KB

Download
memory/2408-166-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-174-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2408-182-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2408-183-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2408-184-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2408-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2408-180-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-178-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-148-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download
memory/2408-176-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-149-0x00000000004E0000-0x000000000050D000-memory.dmp

Filesize
180KB

Download
memory/2408-160-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-158-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-164-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-168-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-170-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-151-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2408-172-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-150-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2408-152-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2408-153-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-162-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-154-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/2408-156-0x0000000002490000-0x00000000024A3000-memory.dmp

Filesize
76KB

Download
memory/3896-193-0x00000000005F0000-0x0000000000637000-memory.dmp

Filesize
284KB

Download
memory/4420-195-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4420-214-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-211-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-217-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-219-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-221-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-223-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-225-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-227-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-229-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-231-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-233-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-235-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-237-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-201-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-206-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/4420-208-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-203-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4420-204-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/4420-202-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4420-194-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4420-1007-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/4420-191-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4420-1013-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download