Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
15/04/2023, 23:14
Static task
static1
General
-
Target
03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe
-
Size
950KB
-
MD5
2a34f6b8fe2dbbc72fff8fda80ffa8eb
-
SHA1
6753b9ab0d19283f0b2bdd99031317d5abd3764d
-
SHA256
03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4
-
SHA512
1318218f0133d999d88257327c9dbb633e2608ca4d5f4f3774a259d368b401a3ec718ff3749334dc73e4c8e9c17c8f90c402fbfe09f25c02f7674ff5fb275b0b
-
SSDEEP
24576:ayrZzzNAdOq8P21q+YUuNp1qFxWoV9igSHdA0Xnq+:hrN5A4zN+M9CWoV2d3q
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it069192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it069192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it069192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it069192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it069192.exe -
Executes dropped EXE 6 IoCs
pid Process 3548 zijF9584.exe 2348 ziVY4555.exe 4500 it069192.exe 4916 jr268695.exe 2144 kp943372.exe 3736 lr520498.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it069192.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zijF9584.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zijF9584.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziVY4555.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziVY4555.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 3588 3736 WerFault.exe 72 2368 3736 WerFault.exe 72 5112 3736 WerFault.exe 72 4816 3736 WerFault.exe 72 2080 3736 WerFault.exe 72 4240 3736 WerFault.exe 72 1016 3736 WerFault.exe 72 1800 3736 WerFault.exe 72 4392 3736 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4500 it069192.exe 4500 it069192.exe 4916 jr268695.exe 4916 jr268695.exe 2144 kp943372.exe 2144 kp943372.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4500 it069192.exe Token: SeDebugPrivilege 4916 jr268695.exe Token: SeDebugPrivilege 2144 kp943372.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3736 lr520498.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4124 wrote to memory of 3548 4124 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe 66 PID 4124 wrote to memory of 3548 4124 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe 66 PID 4124 wrote to memory of 3548 4124 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe 66 PID 3548 wrote to memory of 2348 3548 zijF9584.exe 67 PID 3548 wrote to memory of 2348 3548 zijF9584.exe 67 PID 3548 wrote to memory of 2348 3548 zijF9584.exe 67 PID 2348 wrote to memory of 4500 2348 ziVY4555.exe 68 PID 2348 wrote to memory of 4500 2348 ziVY4555.exe 68 PID 2348 wrote to memory of 4916 2348 ziVY4555.exe 69 PID 2348 wrote to memory of 4916 2348 ziVY4555.exe 69 PID 2348 wrote to memory of 4916 2348 ziVY4555.exe 69 PID 3548 wrote to memory of 2144 3548 zijF9584.exe 71 PID 3548 wrote to memory of 2144 3548 zijF9584.exe 71 PID 3548 wrote to memory of 2144 3548 zijF9584.exe 71 PID 4124 wrote to memory of 3736 4124 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe 72 PID 4124 wrote to memory of 3736 4124 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe 72 PID 4124 wrote to memory of 3736 4124 03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe"C:\Users\Admin\AppData\Local\Temp\03d533e816dd933851cb98a3b4015a32aeaee9862a62e622778a744988eaf3d4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF9584.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF9584.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4555.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVY4555.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it069192.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it069192.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr268695.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr268695.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp943372.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp943372.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr520498.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr520498.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 6203⤵
- Program crash
PID:3588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 7003⤵
- Program crash
PID:2368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 8403⤵
- Program crash
PID:5112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 8483⤵
- Program crash
PID:4816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 8763⤵
- Program crash
PID:2080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 8363⤵
- Program crash
PID:4240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 11203⤵
- Program crash
PID:1016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 11803⤵
- Program crash
PID:1800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 12003⤵
- Program crash
PID:4392
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD55ed9270ca56d41db87987823290dfa15
SHA189f81232efb22eb536efd30fa52ed8710601b592
SHA25674c8d2e808ec0734e30d03e29b9a17b020bdbe85b6584c1aa501ba892ae4a054
SHA512e612b392272b0b6cf27582286e1ac92a5609bb51f72af0c8acdb489ad6e3ab1ecba5470cf391015dab06dc67c01726da60f3bc9da68dfd3e2f84b2716443d4b1
-
Filesize
390KB
MD55ed9270ca56d41db87987823290dfa15
SHA189f81232efb22eb536efd30fa52ed8710601b592
SHA25674c8d2e808ec0734e30d03e29b9a17b020bdbe85b6584c1aa501ba892ae4a054
SHA512e612b392272b0b6cf27582286e1ac92a5609bb51f72af0c8acdb489ad6e3ab1ecba5470cf391015dab06dc67c01726da60f3bc9da68dfd3e2f84b2716443d4b1
-
Filesize
623KB
MD5c269b90e487a3e32992790b0900b7020
SHA1fc522e44e7191b9de48b860d97688b21e905b204
SHA256cd5ea334a091fcf73a11f559dec661f526f756278f90f46352979c0901fc93e4
SHA5124f6099e2a704fbf871d9083c0a56a24af1b72e396fe57b65b413d27cacc0372bde70087de3624b256fdef06cb902d60c93748c1301da17a26bfce985164fc799
-
Filesize
623KB
MD5c269b90e487a3e32992790b0900b7020
SHA1fc522e44e7191b9de48b860d97688b21e905b204
SHA256cd5ea334a091fcf73a11f559dec661f526f756278f90f46352979c0901fc93e4
SHA5124f6099e2a704fbf871d9083c0a56a24af1b72e396fe57b65b413d27cacc0372bde70087de3624b256fdef06cb902d60c93748c1301da17a26bfce985164fc799
-
Filesize
136KB
MD54db9b048077c8bb9469b4671ef85844f
SHA184c0bfd0e9d46043342b875a3f2a74c48b50815a
SHA256a37d0b22161b713836203c8a3678d8106dbdcc01deaa1c2f4a80c49c97236a27
SHA51284bb09495e0bade6762a38b6c43dbf062f46ae7415e15a8b21c19f93ab4e9b103df28694cdebdcd454623b9bf530f2d9c2c87bb531eec6bbbc0db83a2d21b81d
-
Filesize
136KB
MD54db9b048077c8bb9469b4671ef85844f
SHA184c0bfd0e9d46043342b875a3f2a74c48b50815a
SHA256a37d0b22161b713836203c8a3678d8106dbdcc01deaa1c2f4a80c49c97236a27
SHA51284bb09495e0bade6762a38b6c43dbf062f46ae7415e15a8b21c19f93ab4e9b103df28694cdebdcd454623b9bf530f2d9c2c87bb531eec6bbbc0db83a2d21b81d
-
Filesize
468KB
MD5f347f0c0726ba7d57df02649793324af
SHA1f1cc9402d1c33c98fe3e3828e4a9c143813f3d18
SHA25629af44c787bc06379f9d01651e8ae29684ad2e01258aae2af57283b47741e0b7
SHA51228268d52d53c53455b3039970206a901caf3b7b5723c604d5a4894c7347513a3339bcf79bece1bb4bf2b38bf1e7e1d900ee64a99bd4de04a51847bb34e5e2e7c
-
Filesize
468KB
MD5f347f0c0726ba7d57df02649793324af
SHA1f1cc9402d1c33c98fe3e3828e4a9c143813f3d18
SHA25629af44c787bc06379f9d01651e8ae29684ad2e01258aae2af57283b47741e0b7
SHA51228268d52d53c53455b3039970206a901caf3b7b5723c604d5a4894c7347513a3339bcf79bece1bb4bf2b38bf1e7e1d900ee64a99bd4de04a51847bb34e5e2e7c
-
Filesize
12KB
MD5c716ed259cfaa72701354cab5c45b44b
SHA1249c18298d9c45971a69ab78988b6accb49a55a9
SHA256dad1271b2521e0cd12037fb2aacc66cd6c0409ad7946cd45cc7d3f398f6c55d9
SHA51273f0592edf2c37a53a79eecf6a011473a7e9ba5fb327fda318a2d7fa73aa0895f04dddde8c15c497fdecd02d1a8a76cc80769a839c3d6ed9a4ecef148761909a
-
Filesize
12KB
MD5c716ed259cfaa72701354cab5c45b44b
SHA1249c18298d9c45971a69ab78988b6accb49a55a9
SHA256dad1271b2521e0cd12037fb2aacc66cd6c0409ad7946cd45cc7d3f398f6c55d9
SHA51273f0592edf2c37a53a79eecf6a011473a7e9ba5fb327fda318a2d7fa73aa0895f04dddde8c15c497fdecd02d1a8a76cc80769a839c3d6ed9a4ecef148761909a
-
Filesize
481KB
MD540cd229c4f554bc29b3333efb0f97afd
SHA1b6015b1d34bf524e108215ee92b242e1d02a3ebe
SHA256f4e58e4e7e970fa7ddfd25e398c3b9fccabcc23f8def4a99936eba87a8614dbd
SHA512541bedf5cbefe1ee31c24584d2b438e8536ae8d09ac2052ef8ccde8878c69cf7cfab518d44f3f013ef526168d772a7e6521a8435f637e91c5e9f70abb0c94614
-
Filesize
481KB
MD540cd229c4f554bc29b3333efb0f97afd
SHA1b6015b1d34bf524e108215ee92b242e1d02a3ebe
SHA256f4e58e4e7e970fa7ddfd25e398c3b9fccabcc23f8def4a99936eba87a8614dbd
SHA512541bedf5cbefe1ee31c24584d2b438e8536ae8d09ac2052ef8ccde8878c69cf7cfab518d44f3f013ef526168d772a7e6521a8435f637e91c5e9f70abb0c94614