927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199

General

Target

927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe
Size

308KB
MD5

56e23384e1002c6cee17fd94fc45dd15
SHA1

c4c74b902c8d959490bdb3c838d58c4103fdf208
SHA256

927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199
SHA512

80323ef87f7aaaea01e5e25edcfc3b9bd5231a4ebbf3b1c066cedab0aaa281db6138812827ceb8a8f85e06b3107500dcf907a21fb40134424cdf6978c46231c1
SSDEEP

6144:Kgy+bnr+Bp0yN90QERlEY+zbPsE4JqR7wVvEXQwjxyoEifap:QMrFy90vb+zzet+ytifap

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g7688351.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g7688351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g7688351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g7688351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g7688351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g7688351.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	g7688351.exe
3916	h8448716.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g7688351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g7688351.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2344	g7688351.exe
2344	g7688351.exe
3916	h8448716.exe
3916	h8448716.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	g7688351.exe
Token: SeDebugPrivilege	3916	h8448716.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2344	1464	927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe	84
PID 1464 wrote to memory of 2344	1464	927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe	84
PID 1464 wrote to memory of 2344	1464	927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe	84
PID 1464 wrote to memory of 3916	1464	927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe	88
PID 1464 wrote to memory of 3916	1464	927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe	88
PID 1464 wrote to memory of 3916	1464	927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe	88

C:\Users\Admin\AppData\Local\Temp\927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe
"C:\Users\Admin\AppData\Local\Temp\927489cc9c682730fbb0b7ebc00f03806ca0f7d5de98629cabad69058e64a199.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7688351.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7688351.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8448716.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8448716.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7688351.exe

Filesize
176KB

MD5
d00ae4bad5322688b1fd5052d9bb8140

SHA1
aafcfbf9a2451dab2a7a96ed7dbb4608dd89a136

SHA256
0de64fcd2968bb194cc03016d03d26040d7cad443c85495915f474cecc5aa9cc

SHA512
16f51d81e21f160c87031337830aa43ab3be4926bcf88c459fc22c29e10d00fad3789ce9c2a8380b135f14bf844e6b799d6d28ca854da4ec0df63caeaa25202c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7688351.exe

Filesize
176KB

MD5
d00ae4bad5322688b1fd5052d9bb8140

SHA1
aafcfbf9a2451dab2a7a96ed7dbb4608dd89a136

SHA256
0de64fcd2968bb194cc03016d03d26040d7cad443c85495915f474cecc5aa9cc

SHA512
16f51d81e21f160c87031337830aa43ab3be4926bcf88c459fc22c29e10d00fad3789ce9c2a8380b135f14bf844e6b799d6d28ca854da4ec0df63caeaa25202c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8448716.exe

Filesize
136KB

MD5
287e9e7b78d53769d293790f6c33c5a3

SHA1
9f299b8b58062347a5fba2cff44088ad8f6ea194

SHA256
223bb6f3aa7d07fc251ff4b7c7e5f4226babe69a765ddef0d8059cc8ec741441

SHA512
df2645cce2720c3b25c6381be39d344c187d96e3ea7ddc283408f511897e70ac8923a01c43bef441dcfaa1c618408a0f51c2a4643b058297a4801b3eafccc99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8448716.exe

Filesize
136KB

MD5
287e9e7b78d53769d293790f6c33c5a3

SHA1
9f299b8b58062347a5fba2cff44088ad8f6ea194

SHA256
223bb6f3aa7d07fc251ff4b7c7e5f4226babe69a765ddef0d8059cc8ec741441

SHA512
df2645cce2720c3b25c6381be39d344c187d96e3ea7ddc283408f511897e70ac8923a01c43bef441dcfaa1c618408a0f51c2a4643b058297a4801b3eafccc99a

Download Submit
memory/2344-171-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-143-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2344-144-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-145-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-147-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-149-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-151-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-153-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-157-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-155-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-159-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-161-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-163-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-165-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-167-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-169-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2344-172-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2344-141-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2344-173-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2344-174-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2344-142-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2344-140-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/3916-188-0x00000000086D0000-0x0000000008746000-memory.dmp

Filesize
472KB

Download
memory/3916-191-0x0000000008A20000-0x0000000008A3E000-memory.dmp

Filesize
120KB

Download
memory/3916-181-0x0000000007730000-0x0000000007742000-memory.dmp

Filesize
72KB

Download
memory/3916-182-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/3916-183-0x0000000007790000-0x00000000077CC000-memory.dmp

Filesize
240KB

Download
memory/3916-179-0x0000000000A20000-0x0000000000A48000-memory.dmp

Filesize
160KB

Download
memory/3916-187-0x0000000008770000-0x0000000008802000-memory.dmp

Filesize
584KB

Download
memory/3916-186-0x00000000079E0000-0x0000000007A46000-memory.dmp

Filesize
408KB

Download
memory/3916-180-0x0000000007CB0000-0x00000000082C8000-memory.dmp

Filesize
6.1MB

Download
memory/3916-185-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

Filesize
64KB

Download
memory/3916-189-0x0000000008BD0000-0x0000000008D92000-memory.dmp

Filesize
1.8MB

Download
memory/3916-190-0x00000000098A0000-0x0000000009DCC000-memory.dmp

Filesize
5.2MB

Download
memory/3916-184-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

Filesize
64KB

Download
memory/3916-192-0x0000000002BB0000-0x0000000002C00000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads