8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21

Analysis

max time kernel
140s
max time network
88s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
04-05-2023 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe
Size

708KB
MD5

5068b96e85e5a23e0e726dc7ccc30a45
SHA1

6e7e6344e95960fd834a6476fa57647e1f9508f1
SHA256

8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21
SHA512

48f94478f3a0c62d932f601821d7f94639e48c53d2bfd59a8732d7ca2f79b674f2a003ffc72108c3d02f967751452465825ae161aebbf0a30ba9da628f40bb32
SSDEEP

12288:LMrry90WjKwq1Ud1+hhzq/Ds6YqYq6MW+tYQAYrUZ18ma/v6psXDGf2V3iWA7:cyzjDqm/+vmLeqd6EtYQjg18m6v666E+

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h5054785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h5054785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h5054785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h5054785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h5054785.exe

Executes dropped EXE 4 IoCs

pid	Process
3488	x2155448.exe
1728	g5441036.exe
2828	h5054785.exe
2124	i5727389.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	h5054785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	h5054785.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2155448.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2155448.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2640	2124	WerFault.exe	70
4976	2124	WerFault.exe	70
4672	2124	WerFault.exe	70
3788	2124	WerFault.exe	70
404	2124	WerFault.exe	70
4480	2124	WerFault.exe	70
4308	2124	WerFault.exe	70
4716	2124	WerFault.exe	70
4364	2124	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1728	g5441036.exe
1728	g5441036.exe
2828	h5054785.exe
2828	h5054785.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	g5441036.exe
Token: SeDebugPrivilege	2828	h5054785.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3488	4024	8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe	66
PID 4024 wrote to memory of 3488	4024	8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe	66
PID 4024 wrote to memory of 3488	4024	8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe	66
PID 3488 wrote to memory of 1728	3488	x2155448.exe	67
PID 3488 wrote to memory of 1728	3488	x2155448.exe	67
PID 3488 wrote to memory of 1728	3488	x2155448.exe	67
PID 3488 wrote to memory of 2828	3488	x2155448.exe	69
PID 3488 wrote to memory of 2828	3488	x2155448.exe	69
PID 3488 wrote to memory of 2828	3488	x2155448.exe	69
PID 4024 wrote to memory of 2124	4024	8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe	70
PID 4024 wrote to memory of 2124	4024	8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe	70
PID 4024 wrote to memory of 2124	4024	8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe	70

C:\Users\Admin\AppData\Local\Temp\8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe
"C:\Users\Admin\AppData\Local\Temp\8d5c8862183c532569c218167bae8237f35cd669b17f1fcfd14991d581ea1c21.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2155448.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2155448.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5441036.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5441036.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5054785.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5054785.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5727389.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5727389.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 620
    3⤵
    - Program crash
    PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 700
    3⤵
    - Program crash
    PID:4976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 852
    3⤵
    - Program crash
    PID:4672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 856
    3⤵
    - Program crash
    PID:3788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 888
    3⤵
    - Program crash
    PID:404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 892
    3⤵
    - Program crash
    PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1128
    3⤵
    - Program crash
    PID:4308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1152
    3⤵
    - Program crash
    PID:4716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1112
    3⤵
    - Program crash
    PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5727389.exe

Filesize
340KB

MD5
6997abe94098dbb842b33b1708336f06

SHA1
6e564a2d2043a28051adc7a8f837f36bfef8c77c

SHA256
5db2c942a8dae2cf60439adb8968c652b964072a1acd695b0b92bedfc3933cec

SHA512
8d29e68d5c9aac1e2fcb258279f22e36ff0a4087f8ab2b4b01180d14c708644aa54ff47cf70e759cbd8597dc74cd3d676f9571037964e5c16baa33aa7eb6eb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5727389.exe

Filesize
340KB

MD5
6997abe94098dbb842b33b1708336f06

SHA1
6e564a2d2043a28051adc7a8f837f36bfef8c77c

SHA256
5db2c942a8dae2cf60439adb8968c652b964072a1acd695b0b92bedfc3933cec

SHA512
8d29e68d5c9aac1e2fcb258279f22e36ff0a4087f8ab2b4b01180d14c708644aa54ff47cf70e759cbd8597dc74cd3d676f9571037964e5c16baa33aa7eb6eb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2155448.exe

Filesize
416KB

MD5
b25299a2bd621bb36b31c7e9268011c9

SHA1
990c6bbbe7a50cd871d018158ade064f39142881

SHA256
e77b18f15c991f177419917e8e9901f317c392eb1bb1295afe2fcbd27c0c7ed7

SHA512
2e2e06f123631e9a556afcb28b871617c4cbc4e5a657b876777c30ad045f55ae841ddc08e5fc0a0112b397bb7fd471ff1db9ceb911716ec885a3faf04aedd371

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2155448.exe

Filesize
416KB

MD5
b25299a2bd621bb36b31c7e9268011c9

SHA1
990c6bbbe7a50cd871d018158ade064f39142881

SHA256
e77b18f15c991f177419917e8e9901f317c392eb1bb1295afe2fcbd27c0c7ed7

SHA512
2e2e06f123631e9a556afcb28b871617c4cbc4e5a657b876777c30ad045f55ae841ddc08e5fc0a0112b397bb7fd471ff1db9ceb911716ec885a3faf04aedd371

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5441036.exe

Filesize
136KB

MD5
63e5381c96c55d4a64de46868874737a

SHA1
87ce70b2327d9607610831ce6b5ac0bc3938d018

SHA256
7e55af49d0a464c1dbfbdd1419d2a5e00899c8acb9563acca47e85d0ffa0d01d

SHA512
b4d93c57196097dd896d25eafcc3b94052e4b317ecd5dd384dd0d02b3b4ec0b17f59d385f9cfc6fec8c3ab93ec9093d69004ea9b1c700f5cae1e5255e15eb38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5441036.exe

Filesize
136KB

MD5
63e5381c96c55d4a64de46868874737a

SHA1
87ce70b2327d9607610831ce6b5ac0bc3938d018

SHA256
7e55af49d0a464c1dbfbdd1419d2a5e00899c8acb9563acca47e85d0ffa0d01d

SHA512
b4d93c57196097dd896d25eafcc3b94052e4b317ecd5dd384dd0d02b3b4ec0b17f59d385f9cfc6fec8c3ab93ec9093d69004ea9b1c700f5cae1e5255e15eb38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5054785.exe

Filesize
360KB

MD5
ae3349325ffc6e4d88de63f8aeb97c1f

SHA1
1cc0e41c0e03110a855902f2142f205f15bad649

SHA256
68b77b72b80d4cbe7cb7efab45e677a524c8135855002571fece077cde27940e

SHA512
3ab4c44c703c45669bb111a16ee6cd9aa3003e4511cea515f145b6b86504b1a59834df99537e8e85d361061d1c03e6ac98ed40e6f91100fc76728fda22aec611

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5054785.exe

Filesize
360KB

MD5
ae3349325ffc6e4d88de63f8aeb97c1f

SHA1
1cc0e41c0e03110a855902f2142f205f15bad649

SHA256
68b77b72b80d4cbe7cb7efab45e677a524c8135855002571fece077cde27940e

SHA512
3ab4c44c703c45669bb111a16ee6cd9aa3003e4511cea515f145b6b86504b1a59834df99537e8e85d361061d1c03e6ac98ed40e6f91100fc76728fda22aec611

Download Submit
memory/1728-139-0x00000000077F0000-0x0000000007800000-memory.dmp

Filesize
64KB

Download
memory/1728-144-0x00000000088C0000-0x0000000008DBE000-memory.dmp

Filesize
5.0MB

Download
memory/1728-137-0x0000000007410000-0x0000000007422000-memory.dmp

Filesize
72KB

Download
memory/1728-138-0x0000000007540000-0x000000000764A000-memory.dmp

Filesize
1.0MB

Download
memory/1728-135-0x0000000000730000-0x0000000000758000-memory.dmp

Filesize
160KB

Download
memory/1728-140-0x0000000007470000-0x00000000074AE000-memory.dmp

Filesize
248KB

Download
memory/1728-141-0x00000000074B0000-0x00000000074FB000-memory.dmp

Filesize
300KB

Download
memory/1728-142-0x0000000007800000-0x0000000007866000-memory.dmp

Filesize
408KB

Download
memory/1728-143-0x0000000008320000-0x00000000083B2000-memory.dmp

Filesize
584KB

Download
memory/1728-136-0x0000000007970000-0x0000000007F76000-memory.dmp

Filesize
6.0MB

Download
memory/1728-145-0x0000000008440000-0x00000000084B6000-memory.dmp

Filesize
472KB

Download
memory/1728-146-0x0000000008DC0000-0x0000000008F82000-memory.dmp

Filesize
1.8MB

Download
memory/1728-147-0x00000000094C0000-0x00000000099EC000-memory.dmp

Filesize
5.2MB

Download
memory/1728-148-0x00000000085C0000-0x00000000085DE000-memory.dmp

Filesize
120KB

Download
memory/1728-149-0x0000000008720000-0x0000000008770000-memory.dmp

Filesize
320KB

Download
memory/2124-199-0x00000000006F0000-0x0000000000725000-memory.dmp

Filesize
212KB

Download
memory/2124-200-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/2828-155-0x00000000026E0000-0x00000000026FA000-memory.dmp

Filesize
104KB

Download
memory/2828-180-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-158-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-160-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-164-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-162-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-166-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-168-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-170-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-172-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-178-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-176-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-174-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-157-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-182-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-184-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/2828-188-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2828-187-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2828-186-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2828-185-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2828-189-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2828-192-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2828-156-0x0000000004C20000-0x0000000004C38000-memory.dmp

Filesize
96KB

Download
memory/2828-191-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2828-193-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2828-194-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download