963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6

Analysis

max time kernel
110s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe
Size

691KB
MD5

441cc16493d36eb1d009871be8285d5d
SHA1

0db36ee020d42378aca2b30df920e8be4bd464de
SHA256

963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6
SHA512

a73a8a558234bf47daba798147af664db849ffef0fd5fbce3bff5359cc4152f0175da44ea0da45bd5754006a15625cf2e7fc086220c17170ece464806e583809
SSDEEP

12288:Cy909uJ1D3KxLvsgivPRcJHCEED+6e2c7CjSANBsSDfxz:Cy1Jl3sviFEa+52gAN5DJz

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	80941562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	80941562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	80941562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	80941562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	80941562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	80941562.exe

Executes dropped EXE 5 IoCs

pid	Process
4600	un760705.exe
3920	80941562.exe
1804	rk916252.exe
4660	rk916252.exe
4416	si730221.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	80941562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	80941562.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un760705.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un760705.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 4660	1804	rk916252.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
228	3920	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3920	80941562.exe
3920	80941562.exe
4416	si730221.exe
4416	si730221.exe
4660	rk916252.exe
4660	rk916252.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	80941562.exe
Token: SeDebugPrivilege	4660	rk916252.exe
Token: SeDebugPrivilege	4416	si730221.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4600	4100	963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe	84
PID 4100 wrote to memory of 4600	4100	963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe	84
PID 4100 wrote to memory of 4600	4100	963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe	84
PID 4600 wrote to memory of 3920	4600	un760705.exe	85
PID 4600 wrote to memory of 3920	4600	un760705.exe	85
PID 4600 wrote to memory of 3920	4600	un760705.exe	85
PID 4600 wrote to memory of 1804	4600	un760705.exe	88
PID 4600 wrote to memory of 1804	4600	un760705.exe	88
PID 4600 wrote to memory of 1804	4600	un760705.exe	88
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 1804 wrote to memory of 4660	1804	rk916252.exe	89
PID 4100 wrote to memory of 4416	4100	963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe	90
PID 4100 wrote to memory of 4416	4100	963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe	90
PID 4100 wrote to memory of 4416	4100	963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe	90

C:\Users\Admin\AppData\Local\Temp\963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe
"C:\Users\Admin\AppData\Local\Temp\963885ddbe9ae3f5dc3b683cf9c036d502cf50ece14131e30a206adce2632fb6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un760705.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un760705.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\80941562.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\80941562.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1088
      4⤵
      Program crash
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk916252.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk916252.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk916252.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk916252.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si730221.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si730221.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3920 -ip 3920
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si730221.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si730221.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un760705.exe

Filesize
537KB

MD5
b103cd28da384355169ad392960e21a8

SHA1
282a6dfea60444f691da9db15144de195be27f7e

SHA256
70d060470c0792edb9a9839acc3297a094af7915c193ee5e690a557754ebaba3

SHA512
6d90dbf4a1583daaca0bf02a63066fe7cf23d93e550784493feacab1ac1d2aef98c2d12d606e083f465e62d19fea60a6a39c661084fe8e2089602705e664a38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un760705.exe

Filesize
537KB

MD5
b103cd28da384355169ad392960e21a8

SHA1
282a6dfea60444f691da9db15144de195be27f7e

SHA256
70d060470c0792edb9a9839acc3297a094af7915c193ee5e690a557754ebaba3

SHA512
6d90dbf4a1583daaca0bf02a63066fe7cf23d93e550784493feacab1ac1d2aef98c2d12d606e083f465e62d19fea60a6a39c661084fe8e2089602705e664a38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\80941562.exe

Filesize
259KB

MD5
df60364318eadd35a49cd09cd03f503c

SHA1
520acb509088073a93fb0b3f4d080095e742af6b

SHA256
aad2018e6b5825018db7fda8155ff434c81f77f28759fc5ed868711a47999607

SHA512
c880f2d66abd289caa4b3f6719c34ce807d92118c84b363501a80c3a350f922bdcc0ebdcd55c9c822547af05934be77413d514fee10cab73afcaddf9f488ad5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\80941562.exe

Filesize
259KB

MD5
df60364318eadd35a49cd09cd03f503c

SHA1
520acb509088073a93fb0b3f4d080095e742af6b

SHA256
aad2018e6b5825018db7fda8155ff434c81f77f28759fc5ed868711a47999607

SHA512
c880f2d66abd289caa4b3f6719c34ce807d92118c84b363501a80c3a350f922bdcc0ebdcd55c9c822547af05934be77413d514fee10cab73afcaddf9f488ad5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk916252.exe

Filesize
342KB

MD5
2214613a65c3bbe2d3b185b6ae106b34

SHA1
b2c8147e9deb35974a51a4e0fb9578e9e660e54e

SHA256
6465834e45b50cbd9c38b321ef2c40cf871412586b8f2165a6c417cbf4e910d8

SHA512
53b5dcde37fa6603a4fe8eca3ad6ef9473f161780f6b3ee792d2420ff66626721e4fe24e85095e5fb8d2131e00a2202bf9b341d1a438f67d2f34d900873cedd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk916252.exe

Filesize
342KB

MD5
2214613a65c3bbe2d3b185b6ae106b34

SHA1
b2c8147e9deb35974a51a4e0fb9578e9e660e54e

SHA256
6465834e45b50cbd9c38b321ef2c40cf871412586b8f2165a6c417cbf4e910d8

SHA512
53b5dcde37fa6603a4fe8eca3ad6ef9473f161780f6b3ee792d2420ff66626721e4fe24e85095e5fb8d2131e00a2202bf9b341d1a438f67d2f34d900873cedd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk916252.exe

Filesize
342KB

MD5
2214613a65c3bbe2d3b185b6ae106b34

SHA1
b2c8147e9deb35974a51a4e0fb9578e9e660e54e

SHA256
6465834e45b50cbd9c38b321ef2c40cf871412586b8f2165a6c417cbf4e910d8

SHA512
53b5dcde37fa6603a4fe8eca3ad6ef9473f161780f6b3ee792d2420ff66626721e4fe24e85095e5fb8d2131e00a2202bf9b341d1a438f67d2f34d900873cedd1

Download Submit
memory/1804-193-0x00000000020E0000-0x0000000002127000-memory.dmp

Filesize
284KB

Download
memory/3920-166-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3920-154-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-162-0x0000000000570000-0x000000000059D000-memory.dmp

Filesize
180KB

Download
memory/3920-165-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3920-167-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-169-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3920-170-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-158-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-163-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-172-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-174-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-176-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-178-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-180-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3920-182-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3920-183-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3920-185-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3920-156-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-160-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-148-0x00000000049E0000-0x0000000004F84000-memory.dmp

Filesize
5.6MB

Download
memory/3920-150-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-152-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/3920-149-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/4416-213-0x0000000007210000-0x000000000724C000-memory.dmp

Filesize
240KB

Download
memory/4416-901-0x0000000004660000-0x00000000046B0000-memory.dmp

Filesize
320KB

Download
memory/4416-453-0x0000000008BF0000-0x0000000008DB2000-memory.dmp

Filesize
1.8MB

Download
memory/4416-199-0x0000000000480000-0x00000000004A8000-memory.dmp

Filesize
160KB

Download
memory/4416-412-0x0000000008190000-0x00000000081AE000-memory.dmp

Filesize
120KB

Download
memory/4416-202-0x0000000007710000-0x0000000007D28000-memory.dmp

Filesize
6.1MB

Download
memory/4416-459-0x00000000092F0000-0x000000000981C000-memory.dmp

Filesize
5.2MB

Download
memory/4416-205-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/4416-391-0x0000000008240000-0x00000000082B6000-memory.dmp

Filesize
472KB

Download
memory/4416-208-0x00000000072E0000-0x00000000073EA000-memory.dmp

Filesize
1.0MB

Download
memory/4416-381-0x0000000007FF0000-0x0000000008082000-memory.dmp

Filesize
584KB

Download
memory/4416-328-0x0000000007590000-0x00000000075F6000-memory.dmp

Filesize
408KB

Download
memory/4416-237-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/4660-201-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-217-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-219-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-215-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-221-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-223-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-225-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-227-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-229-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-231-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-232-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4660-236-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-235-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4660-212-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-234-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4660-210-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-207-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-204-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-200-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/4660-194-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4660-192-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4660-190-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4660-1008-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4660-1012-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download