c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396

Analysis

max time kernel
149s
max time network
86s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
04/05/2023, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe
Size

599KB
MD5

43b5c43fb2efd3cc59ffbdd497f348be
SHA1

ac3dd4a7ee78ff570f3d35ebbe9e04ec53833a2e
SHA256

c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396
SHA512

a53d0c75dbeff89fc069b4090e5a8e4da923c333a7673018a3e4869efc7764e956ad28ff4f5db3eb52147d61f2d3eba3376652e9ebd29cb204246aed6befd86b
SSDEEP

12288:OMr8y90V2OFBATFiKTBooX1IfCuspKLpM1l6FMdPWw2VgkpMmbou:myi3FBKkDgafAKLpyl+Vzdbd

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l2146942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l2146942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l2146942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l2146942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l2146942.exe

Executes dropped EXE 4 IoCs

pid	Process
2524	y1144871.exe
2996	k7576388.exe
3504	l2146942.exe
4076	m2644727.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l2146942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l2146942.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1144871.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1144871.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
5064	4076	WerFault.exe	70
5084	4076	WerFault.exe	70
700	4076	WerFault.exe	70
780	4076	WerFault.exe	70
2992	4076	WerFault.exe	70
4712	4076	WerFault.exe	70
4804	4076	WerFault.exe	70
756	4076	WerFault.exe	70
3344	4076	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2996	k7576388.exe
2996	k7576388.exe
3504	l2146942.exe
3504	l2146942.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	k7576388.exe
Token: SeDebugPrivilege	3504	l2146942.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2524	2488	c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe	66
PID 2488 wrote to memory of 2524	2488	c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe	66
PID 2488 wrote to memory of 2524	2488	c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe	66
PID 2524 wrote to memory of 2996	2524	y1144871.exe	67
PID 2524 wrote to memory of 2996	2524	y1144871.exe	67
PID 2524 wrote to memory of 2996	2524	y1144871.exe	67
PID 2524 wrote to memory of 3504	2524	y1144871.exe	69
PID 2524 wrote to memory of 3504	2524	y1144871.exe	69
PID 2524 wrote to memory of 3504	2524	y1144871.exe	69
PID 2488 wrote to memory of 4076	2488	c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe	70
PID 2488 wrote to memory of 4076	2488	c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe	70
PID 2488 wrote to memory of 4076	2488	c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe	70

C:\Users\Admin\AppData\Local\Temp\c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe
"C:\Users\Admin\AppData\Local\Temp\c84a07cb25dc9affdbba7a9bd371c5e0da3d3920fd7470c9d95cbcedd9f31396.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1144871.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1144871.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7576388.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7576388.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2146942.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2146942.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m2644727.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m2644727.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 620
    3⤵
    - Program crash
    PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 700
    3⤵
    - Program crash
    PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 844
    3⤵
    - Program crash
    PID:700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 856
    3⤵
    - Program crash
    PID:780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 908
    3⤵
    - Program crash
    PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 880
    3⤵
    - Program crash
    PID:4712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1124
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1152
    3⤵
    - Program crash
    PID:756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1140
    3⤵
    - Program crash
    PID:3344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m2644727.exe

Filesize
340KB

MD5
f83a14e89eae30b67bf0f9ecc08e183b

SHA1
f72dd60561f900e06b293fdf434e8671634debc6

SHA256
262c2eaad5cd745dce72adc4a48a9db5d3b8009954a2ab0095bcbb31d87a2a3e

SHA512
4dbbc9a38d2ce505d618f6b778b893d363bf54eb33f16b3378df3ebb14548b2694bb2da1de45d15c7edd0c25c11714f33268c5a59debf0c82bf46300be1a06f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m2644727.exe

Filesize
340KB

MD5
f83a14e89eae30b67bf0f9ecc08e183b

SHA1
f72dd60561f900e06b293fdf434e8671634debc6

SHA256
262c2eaad5cd745dce72adc4a48a9db5d3b8009954a2ab0095bcbb31d87a2a3e

SHA512
4dbbc9a38d2ce505d618f6b778b893d363bf54eb33f16b3378df3ebb14548b2694bb2da1de45d15c7edd0c25c11714f33268c5a59debf0c82bf46300be1a06f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1144871.exe

Filesize
307KB

MD5
3311c99041546b81d3c24eb98c845a92

SHA1
8aee8757e9a27ae169ade6a4ecd748176acd2d8c

SHA256
3f238fceb73ff892827ba9958ca74630394922cb4ffb85bc8dd5b319d3fc0b59

SHA512
2e22b2327703a2f2dca0293f89cbb6a554881cd73fb7453b7d67934214d6ff862b265ba739e35691c3b379e556dd37129bafcd22416f8af1cb456c47500aef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1144871.exe

Filesize
307KB

MD5
3311c99041546b81d3c24eb98c845a92

SHA1
8aee8757e9a27ae169ade6a4ecd748176acd2d8c

SHA256
3f238fceb73ff892827ba9958ca74630394922cb4ffb85bc8dd5b319d3fc0b59

SHA512
2e22b2327703a2f2dca0293f89cbb6a554881cd73fb7453b7d67934214d6ff862b265ba739e35691c3b379e556dd37129bafcd22416f8af1cb456c47500aef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7576388.exe

Filesize
136KB

MD5
9faf39364a842c667a5656538ba5b20b

SHA1
edf5758e30f439754020f0e90669038633585c5f

SHA256
22c2fff4162ee68115b065f07b6c23d3caaf4eb08626363714e8fa56a9684183

SHA512
7ddbd8d74f0471423e07bbb39f28e9fb082cec8d3d8ddce3efe6b034a9486528d9b024417a92472ef83a6a7ae0022466ff271475a036163c202ac6b2ded1f740

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7576388.exe

Filesize
136KB

MD5
9faf39364a842c667a5656538ba5b20b

SHA1
edf5758e30f439754020f0e90669038633585c5f

SHA256
22c2fff4162ee68115b065f07b6c23d3caaf4eb08626363714e8fa56a9684183

SHA512
7ddbd8d74f0471423e07bbb39f28e9fb082cec8d3d8ddce3efe6b034a9486528d9b024417a92472ef83a6a7ae0022466ff271475a036163c202ac6b2ded1f740

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2146942.exe

Filesize
175KB

MD5
cdfc0dd25fc5a5837fae5a058ae129ae

SHA1
38a77628a59260190ac3ed3db173e2ad4cfb9ce7

SHA256
fcea6ffdab51342ffe492b192f2921ff139fd5142e4a7e4783e8146fb13a90de

SHA512
ae023bcda5aa7fb6c39275968c9dab527d1bf3292f6df57747926cee58838eb35dc045a96bb4e885ee5b3b0782c08f4bff65419f753d175967fcea3925dffd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2146942.exe

Filesize
175KB

MD5
cdfc0dd25fc5a5837fae5a058ae129ae

SHA1
38a77628a59260190ac3ed3db173e2ad4cfb9ce7

SHA256
fcea6ffdab51342ffe492b192f2921ff139fd5142e4a7e4783e8146fb13a90de

SHA512
ae023bcda5aa7fb6c39275968c9dab527d1bf3292f6df57747926cee58838eb35dc045a96bb4e885ee5b3b0782c08f4bff65419f753d175967fcea3925dffd15

Download Submit
memory/2996-141-0x0000000007830000-0x0000000007840000-memory.dmp

Filesize
64KB

Download
memory/2996-146-0x00000000085D0000-0x0000000008646000-memory.dmp

Filesize
472KB

Download
memory/2996-139-0x0000000007520000-0x000000000755E000-memory.dmp

Filesize
248KB

Download
memory/2996-142-0x00000000078B0000-0x0000000007916000-memory.dmp

Filesize
408KB

Download
memory/2996-143-0x0000000008360000-0x00000000083F2000-memory.dmp

Filesize
584KB

Download
memory/2996-144-0x0000000008900000-0x0000000008DFE000-memory.dmp

Filesize
5.0MB

Download
memory/2996-145-0x0000000008500000-0x0000000008550000-memory.dmp

Filesize
320KB

Download
memory/2996-140-0x0000000007560000-0x00000000075AB000-memory.dmp

Filesize
300KB

Download
memory/2996-147-0x0000000008320000-0x000000000833E000-memory.dmp

Filesize
120KB

Download
memory/2996-148-0x0000000008FD0000-0x0000000009192000-memory.dmp

Filesize
1.8MB

Download
memory/2996-149-0x00000000096D0000-0x0000000009BFC000-memory.dmp

Filesize
5.2MB

Download
memory/2996-138-0x00000000075F0000-0x00000000076FA000-memory.dmp

Filesize
1.0MB

Download
memory/2996-137-0x00000000074C0000-0x00000000074D2000-memory.dmp

Filesize
72KB

Download
memory/2996-136-0x0000000007AB0000-0x00000000080B6000-memory.dmp

Filesize
6.0MB

Download
memory/2996-135-0x00000000007E0000-0x0000000000808000-memory.dmp

Filesize
160KB

Download
memory/3504-155-0x00000000022A0000-0x00000000022B8000-memory.dmp

Filesize
96KB

Download
memory/3504-157-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-159-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-161-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-163-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-165-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-167-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-169-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-171-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-175-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-173-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-177-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-179-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-181-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-183-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-184-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3504-185-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3504-186-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3504-156-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/3504-154-0x0000000002210000-0x000000000222A000-memory.dmp

Filesize
104KB

Download
memory/4076-192-0x00000000007C0000-0x00000000007F5000-memory.dmp

Filesize
212KB

Download
memory/4076-193-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download