c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143

Analysis

max time kernel
53s
max time network
140s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26/04/2023, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe
Size

697KB
MD5

8d3ba47a5268d9f8b67a1ab6ba534a19
SHA1

3b26f19c14efd461e1f72e569deee9c38df149b8
SHA256

c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143
SHA512

d9575d67b59458b96a7597141d411e5c37578a9d6118c5371f815b7ccbf42f7ca0ebe0f8757cfae14a74897ed04012318c72881ec553f7308b7a222c941cc0d8
SSDEEP

12288:7y90QFD7P24wcG8z+3oo11HScpdGdooO/VL8CUL:7yhar8zX2hScpQl0BJUL

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	60033391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	60033391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	60033391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	60033391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	60033391.exe

Executes dropped EXE 4 IoCs

pid	Process
5116	un894097.exe
2140	60033391.exe
1940	rk133502.exe
3944	si696123.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	60033391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	60033391.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un894097.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un894097.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2140	60033391.exe
2140	60033391.exe
1940	rk133502.exe
1940	rk133502.exe
3944	si696123.exe
3944	si696123.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	60033391.exe
Token: SeDebugPrivilege	1940	rk133502.exe
Token: SeDebugPrivilege	3944	si696123.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 5116	4600	c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe	66
PID 4600 wrote to memory of 5116	4600	c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe	66
PID 4600 wrote to memory of 5116	4600	c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe	66
PID 5116 wrote to memory of 2140	5116	un894097.exe	67
PID 5116 wrote to memory of 2140	5116	un894097.exe	67
PID 5116 wrote to memory of 2140	5116	un894097.exe	67
PID 5116 wrote to memory of 1940	5116	un894097.exe	68
PID 5116 wrote to memory of 1940	5116	un894097.exe	68
PID 5116 wrote to memory of 1940	5116	un894097.exe	68
PID 4600 wrote to memory of 3944	4600	c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe	70
PID 4600 wrote to memory of 3944	4600	c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe	70
PID 4600 wrote to memory of 3944	4600	c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe	70

C:\Users\Admin\AppData\Local\Temp\c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe
"C:\Users\Admin\AppData\Local\Temp\c411e3e171fbd57d865420efc71e5a4a9b8350353fc7d569a42ead78acf01143.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894097.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894097.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\60033391.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\60033391.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133502.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133502.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si696123.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si696123.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si696123.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si696123.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894097.exe

Filesize
543KB

MD5
62a62cdd229f00b7d54a5643e9034d19

SHA1
dbe72c8383b3a3504b08187f7a3d0e54ffbb1ba5

SHA256
3ee043d12df046cd744e99f3043cf39b145a092377bb8dbce1dd22bfa4c3cc1d

SHA512
40e2655ac48734560b60c88fadae1bd805d20e6679e49c0cfeaba6c9a9d98a3a4d4d7d714ec0c887c998f2b8a7bec5313eea8c61c7253637a9f1978b8d52efd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894097.exe

Filesize
543KB

MD5
62a62cdd229f00b7d54a5643e9034d19

SHA1
dbe72c8383b3a3504b08187f7a3d0e54ffbb1ba5

SHA256
3ee043d12df046cd744e99f3043cf39b145a092377bb8dbce1dd22bfa4c3cc1d

SHA512
40e2655ac48734560b60c88fadae1bd805d20e6679e49c0cfeaba6c9a9d98a3a4d4d7d714ec0c887c998f2b8a7bec5313eea8c61c7253637a9f1978b8d52efd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\60033391.exe

Filesize
263KB

MD5
fab526cd68d273771894feef39b92326

SHA1
548ed345c3fc99f60260a95d6ff2014e18df6e5f

SHA256
700a1750505094f306bca7a1d203688b074506ae2b082369b1a380e6d546be60

SHA512
b997273b47bdb19378b99e3197d0581eb6ba1787a653ca85000b2569eb7074fa2e060b557b55e035621c162a5f793dd1bf67e8e56feb24416a05a6642f8aa07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\60033391.exe

Filesize
263KB

MD5
fab526cd68d273771894feef39b92326

SHA1
548ed345c3fc99f60260a95d6ff2014e18df6e5f

SHA256
700a1750505094f306bca7a1d203688b074506ae2b082369b1a380e6d546be60

SHA512
b997273b47bdb19378b99e3197d0581eb6ba1787a653ca85000b2569eb7074fa2e060b557b55e035621c162a5f793dd1bf67e8e56feb24416a05a6642f8aa07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133502.exe

Filesize
328KB

MD5
6323e7d19b92703a3fd1c2f378098afe

SHA1
fb0db363e649d5035f6ab5518fa887a0fe8467f3

SHA256
761deae6592906ffeeddc1abf6cc31dbade40cfc68268cf22c6096c00bcd6179

SHA512
75c58e240f8de7041ce7c663ec8440ddc0d18b3d6d9b7ec38f1d8e789e347b060636662321b90ff2c3531a3357c151920bb5fa48b1b5afe7317e3c2e06328d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133502.exe

Filesize
328KB

MD5
6323e7d19b92703a3fd1c2f378098afe

SHA1
fb0db363e649d5035f6ab5518fa887a0fe8467f3

SHA256
761deae6592906ffeeddc1abf6cc31dbade40cfc68268cf22c6096c00bcd6179

SHA512
75c58e240f8de7041ce7c663ec8440ddc0d18b3d6d9b7ec38f1d8e789e347b060636662321b90ff2c3531a3357c151920bb5fa48b1b5afe7317e3c2e06328d34

Download Submit
memory/1940-214-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-212-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-989-0x000000000B720000-0x000000000B73E000-memory.dmp

Filesize
120KB

Download
memory/1940-988-0x000000000B0C0000-0x000000000B5EC000-memory.dmp

Filesize
5.2MB

Download
memory/1940-987-0x000000000AEE0000-0x000000000B0A2000-memory.dmp

Filesize
1.8MB

Download
memory/1940-986-0x000000000AE20000-0x000000000AE96000-memory.dmp

Filesize
472KB

Download
memory/1940-985-0x000000000ADD0000-0x000000000AE20000-memory.dmp

Filesize
320KB

Download
memory/1940-984-0x000000000AD30000-0x000000000ADC2000-memory.dmp

Filesize
584KB

Download
memory/1940-983-0x000000000A650000-0x000000000A6B6000-memory.dmp

Filesize
408KB

Download
memory/1940-982-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/1940-981-0x000000000A3C0000-0x000000000A40B000-memory.dmp

Filesize
300KB

Download
memory/1940-980-0x000000000A340000-0x000000000A37E000-memory.dmp

Filesize
248KB

Download
memory/1940-979-0x000000000A220000-0x000000000A32A000-memory.dmp

Filesize
1.0MB

Download
memory/1940-978-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/1940-977-0x0000000009BC0000-0x000000000A1C6000-memory.dmp

Filesize
6.0MB

Download
memory/1940-218-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-189-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/1940-190-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/1940-216-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-196-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-210-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-208-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-206-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-204-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-202-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-179-0x0000000004C90000-0x0000000004CCC000-memory.dmp

Filesize
240KB

Download
memory/1940-180-0x0000000004E40000-0x0000000004E7A000-memory.dmp

Filesize
232KB

Download
memory/1940-181-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-182-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-185-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-187-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/1940-184-0x0000000002D00000-0x0000000002D46000-memory.dmp

Filesize
280KB

Download
memory/1940-200-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-188-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-198-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-192-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1940-194-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/2140-166-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-168-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-139-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2140-138-0x0000000007720000-0x0000000007738000-memory.dmp

Filesize
96KB

Download
memory/2140-137-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2140-174-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2140-172-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2140-171-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2140-170-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2140-136-0x0000000002EC0000-0x0000000002EED000-memory.dmp

Filesize
180KB

Download
memory/2140-169-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2140-164-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-162-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-160-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-158-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-156-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-154-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-152-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-150-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-148-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-146-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-144-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-142-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-141-0x0000000007720000-0x0000000007733000-memory.dmp

Filesize
76KB

Download
memory/2140-140-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2140-135-0x00000000071E0000-0x00000000076DE000-memory.dmp

Filesize
5.0MB

Download
memory/2140-134-0x0000000004A80000-0x0000000004A9A000-memory.dmp

Filesize
104KB

Download
memory/3944-995-0x0000000000D90000-0x0000000000DB8000-memory.dmp

Filesize
160KB

Download
memory/3944-996-0x0000000007B10000-0x0000000007B5B000-memory.dmp

Filesize
300KB

Download
memory/3944-997-0x0000000007E90000-0x0000000007EA0000-memory.dmp

Filesize
64KB

Download