de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd

Analysis

max time kernel
62s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe
Size

691KB
MD5

77324118f529ba6822b10c0998e9e5e2
SHA1

6ff19f266a11eb4d3e5b7571b45f7590d3539f2e
SHA256

de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd
SHA512

cfaadc93c3670e5fc30d6d143b5b6a626bb69edbf3582a4f6971d5dda1e2a49dd2b9ddbd720bcd1eff885ef89cfdb74238b79de8d60a7a62a8ebfe02d7306d6e
SSDEEP

12288:yy90I1Blkpf2+/dMjngt4AmZ2wI7hzBv8M0dXrBYe2Z7C8AANBXbef8GD:yyRGf2YMjni4077lv0dBz2cANFbef8U

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	86628894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	86628894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	86628894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	86628894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	86628894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	86628894.exe

Executes dropped EXE 5 IoCs

pid	Process
1892	un748927.exe
1836	86628894.exe
3936	rk505426.exe
1956	rk505426.exe
2460	si106810.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	86628894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	86628894.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un748927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un748927.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3936 set thread context of 1956	3936	rk505426.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5016	1836	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1836	86628894.exe
1836	86628894.exe
2460	si106810.exe
2460	si106810.exe
1956	rk505426.exe
1956	rk505426.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	86628894.exe
Token: SeDebugPrivilege	1956	rk505426.exe
Token: SeDebugPrivilege	2460	si106810.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 1892	4464	de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe	82
PID 4464 wrote to memory of 1892	4464	de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe	82
PID 4464 wrote to memory of 1892	4464	de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe	82
PID 1892 wrote to memory of 1836	1892	un748927.exe	83
PID 1892 wrote to memory of 1836	1892	un748927.exe	83
PID 1892 wrote to memory of 1836	1892	un748927.exe	83
PID 1892 wrote to memory of 3936	1892	un748927.exe	90
PID 1892 wrote to memory of 3936	1892	un748927.exe	90
PID 1892 wrote to memory of 3936	1892	un748927.exe	90
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 3936 wrote to memory of 1956	3936	rk505426.exe	91
PID 4464 wrote to memory of 2460	4464	de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe	92
PID 4464 wrote to memory of 2460	4464	de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe	92
PID 4464 wrote to memory of 2460	4464	de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe	92

C:\Users\Admin\AppData\Local\Temp\de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe
"C:\Users\Admin\AppData\Local\Temp\de4d936a2d1abbed5bbd1deaf189e823fabe61287afcfa689c3de82bcea54afd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un748927.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un748927.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\86628894.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\86628894.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1084
      4⤵
      Program crash
      PID:5016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk505426.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk505426.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk505426.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk505426.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si106810.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si106810.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1836 -ip 1836
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si106810.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si106810.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un748927.exe

Filesize
537KB

MD5
d8e13902f5e7feb5d8991321035fdfa7

SHA1
1855103307f050d7aa7f6e4188021e191caf0aa6

SHA256
5e0f861950df9d7e56f7f3fe30ca09547fb32435dd9dbf1eb506174b464c7a91

SHA512
cefa93c4cf07e3c10a97623a0496adc4e4e5ae45be7e1e5d1e1d81a4e9c7b1a30b4f60065b81d5da032b9e9b72c5bf26773590d466cadcb1d7ca057fb5f565e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un748927.exe

Filesize
537KB

MD5
d8e13902f5e7feb5d8991321035fdfa7

SHA1
1855103307f050d7aa7f6e4188021e191caf0aa6

SHA256
5e0f861950df9d7e56f7f3fe30ca09547fb32435dd9dbf1eb506174b464c7a91

SHA512
cefa93c4cf07e3c10a97623a0496adc4e4e5ae45be7e1e5d1e1d81a4e9c7b1a30b4f60065b81d5da032b9e9b72c5bf26773590d466cadcb1d7ca057fb5f565e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\86628894.exe

Filesize
259KB

MD5
fc61c84b619f36f9ea1e2a5b3e31bc84

SHA1
2dac8975484a6e6f3443a35ad3c55c2142243fd9

SHA256
5dcbebbee8dfb772c1ee9ece8402f6e1fe0af645b29f783c55a8dce7c0158183

SHA512
2fdb66360453c64ec35cba7e6013f9320a20597d90d1dd9e9aff1400b72314a505a1e2e4277b3c46a57912001cef20a3576fc6b010741e67e9ceab35594791a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\86628894.exe

Filesize
259KB

MD5
fc61c84b619f36f9ea1e2a5b3e31bc84

SHA1
2dac8975484a6e6f3443a35ad3c55c2142243fd9

SHA256
5dcbebbee8dfb772c1ee9ece8402f6e1fe0af645b29f783c55a8dce7c0158183

SHA512
2fdb66360453c64ec35cba7e6013f9320a20597d90d1dd9e9aff1400b72314a505a1e2e4277b3c46a57912001cef20a3576fc6b010741e67e9ceab35594791a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk505426.exe

Filesize
342KB

MD5
07604e4058fa1517fe06c0ebdd1652e6

SHA1
0131d1bc4ade292aa6f24db3ec7190980eaa8053

SHA256
b82b6a060b85de7b847210be9b9ce0a577a3826ef67075a169ee338b5d067d34

SHA512
47db11a4d2da2020e3b5624d5e52ca56c2a1fa84a6a552a5a34a76b50c2f2babbfe5972aace6ef9e84889d42c2a8e280da1ec2330ea3f0a3217530437daf936c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk505426.exe

Filesize
342KB

MD5
07604e4058fa1517fe06c0ebdd1652e6

SHA1
0131d1bc4ade292aa6f24db3ec7190980eaa8053

SHA256
b82b6a060b85de7b847210be9b9ce0a577a3826ef67075a169ee338b5d067d34

SHA512
47db11a4d2da2020e3b5624d5e52ca56c2a1fa84a6a552a5a34a76b50c2f2babbfe5972aace6ef9e84889d42c2a8e280da1ec2330ea3f0a3217530437daf936c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk505426.exe

Filesize
342KB

MD5
07604e4058fa1517fe06c0ebdd1652e6

SHA1
0131d1bc4ade292aa6f24db3ec7190980eaa8053

SHA256
b82b6a060b85de7b847210be9b9ce0a577a3826ef67075a169ee338b5d067d34

SHA512
47db11a4d2da2020e3b5624d5e52ca56c2a1fa84a6a552a5a34a76b50c2f2babbfe5972aace6ef9e84889d42c2a8e280da1ec2330ea3f0a3217530437daf936c

Download Submit
memory/1836-184-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1836-152-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-155-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-159-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-157-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-161-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-163-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-166-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-168-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1836-169-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-165-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/1836-172-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-171-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1836-174-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-176-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-178-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-180-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-182-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1836-183-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1836-151-0x0000000004D90000-0x0000000005334000-memory.dmp

Filesize
5.6MB

Download
memory/1836-185-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1836-187-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1836-153-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download
memory/1956-196-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1956-215-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-192-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1956-202-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1956-235-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-1017-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1956-1013-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1956-205-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-206-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-1011-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1956-209-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-211-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-213-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-195-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1956-217-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-219-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-240-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-222-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-224-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-226-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-228-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-229-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1956-232-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1956-231-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/1956-234-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1956-238-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/2460-200-0x0000000000710000-0x0000000000738000-memory.dmp

Filesize
160KB

Download
memory/2460-236-0x0000000007560000-0x0000000007570000-memory.dmp

Filesize
64KB

Download
memory/2460-220-0x00000000074A0000-0x00000000074DC000-memory.dmp

Filesize
240KB

Download
memory/2460-299-0x00000000077E0000-0x0000000007846000-memory.dmp

Filesize
408KB

Download
memory/2460-371-0x0000000008390000-0x0000000008422000-memory.dmp

Filesize
584KB

Download
memory/2460-393-0x0000000008550000-0x00000000085A0000-memory.dmp

Filesize
320KB

Download
memory/2460-396-0x0000000008620000-0x0000000008696000-memory.dmp

Filesize
472KB

Download
memory/2460-419-0x0000000008F90000-0x0000000009152000-memory.dmp

Filesize
1.8MB

Download
memory/2460-426-0x0000000009690000-0x0000000009BBC000-memory.dmp

Filesize
5.2MB

Download
memory/2460-429-0x0000000008770000-0x000000000878E000-memory.dmp

Filesize
120KB

Download
memory/2460-208-0x0000000007570000-0x000000000767A000-memory.dmp

Filesize
1.0MB

Download
memory/2460-204-0x0000000007440000-0x0000000007452000-memory.dmp

Filesize
72KB

Download
memory/2460-203-0x00000000079D0000-0x0000000007FE8000-memory.dmp

Filesize
6.1MB

Download
memory/3936-194-0x0000000002090000-0x00000000020D7000-memory.dmp

Filesize
284KB

Download