Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
17-04-2023 22:34
Static task
static1
General
-
Target
bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe
-
Size
982KB
-
MD5
290e652ce863f5d463724e9981e02051
-
SHA1
9d67838aaba137361a43f8bba40306e4d1b5c10e
-
SHA256
bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35
-
SHA512
0fefd8c231917bb969cae6caf2cb92aafd47bd23700e687f4e439c09c71d06055302afc2c639d9f7097504179962d40655d34ef619f1ddc763a08695242d4f05
-
SSDEEP
24576:4yenCjpLDkuvLh6v1JzdY1+TMsv8cYwNBYCytOlqonebDV8+cQj:/42X161xA5sv8cpBYCczvbB
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr072619.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr072619.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr072619.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr072619.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr072619.exe -
Executes dropped EXE 6 IoCs
pid Process 3652 un800705.exe 4608 un316846.exe 5008 pr072619.exe 4260 qu487212.exe 712 rk351268.exe 1412 si451653.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr072619.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr072619.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un800705.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un800705.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un316846.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un316846.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
pid pid_target Process procid_target 1708 1412 WerFault.exe 72 4652 1412 WerFault.exe 72 4800 1412 WerFault.exe 72 2092 1412 WerFault.exe 72 4332 1412 WerFault.exe 72 2556 1412 WerFault.exe 72 2812 1412 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5008 pr072619.exe 5008 pr072619.exe 4260 qu487212.exe 4260 qu487212.exe 712 rk351268.exe 712 rk351268.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5008 pr072619.exe Token: SeDebugPrivilege 4260 qu487212.exe Token: SeDebugPrivilege 712 rk351268.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 420 wrote to memory of 3652 420 bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe 66 PID 420 wrote to memory of 3652 420 bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe 66 PID 420 wrote to memory of 3652 420 bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe 66 PID 3652 wrote to memory of 4608 3652 un800705.exe 67 PID 3652 wrote to memory of 4608 3652 un800705.exe 67 PID 3652 wrote to memory of 4608 3652 un800705.exe 67 PID 4608 wrote to memory of 5008 4608 un316846.exe 68 PID 4608 wrote to memory of 5008 4608 un316846.exe 68 PID 4608 wrote to memory of 5008 4608 un316846.exe 68 PID 4608 wrote to memory of 4260 4608 un316846.exe 69 PID 4608 wrote to memory of 4260 4608 un316846.exe 69 PID 4608 wrote to memory of 4260 4608 un316846.exe 69 PID 3652 wrote to memory of 712 3652 un800705.exe 71 PID 3652 wrote to memory of 712 3652 un800705.exe 71 PID 3652 wrote to memory of 712 3652 un800705.exe 71 PID 420 wrote to memory of 1412 420 bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe 72 PID 420 wrote to memory of 1412 420 bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe 72 PID 420 wrote to memory of 1412 420 bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe"C:\Users\Admin\AppData\Local\Temp\bbdb8b28b0b930cae3c0c66ab4fc2e446c7bb8fa989bd3deef5d82f5dc780b35.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800705.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800705.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un316846.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un316846.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr072619.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr072619.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu487212.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu487212.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk351268.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk351268.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si451653.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si451653.exe2⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 6443⤵
- Program crash
PID:1708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 7203⤵
- Program crash
PID:4652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 8483⤵
- Program crash
PID:4800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 8563⤵
- Program crash
PID:2092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 8843⤵
- Program crash
PID:4332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 9083⤵
- Program crash
PID:2556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 10563⤵
- Program crash
PID:2812
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246KB
MD5ac3eb194ed5ab3b80a14e8189174a171
SHA1c888d21cbdb7d01e02b5bb199d070a18c23cfda6
SHA256708c0153842214059ea1aa8bd40086850cb5cfbc58300f18d7b6421b2d34ed38
SHA512a776e533d4d3f483bdb649a116d4c1c5dde9617466ceacbe2ad8ffbb7ee3ea9405ee69f1ac3db2e0a2fd6c738d5bc9e7b8cf20b0753a4761d3981b249fc0b3dc
-
Filesize
246KB
MD5ac3eb194ed5ab3b80a14e8189174a171
SHA1c888d21cbdb7d01e02b5bb199d070a18c23cfda6
SHA256708c0153842214059ea1aa8bd40086850cb5cfbc58300f18d7b6421b2d34ed38
SHA512a776e533d4d3f483bdb649a116d4c1c5dde9617466ceacbe2ad8ffbb7ee3ea9405ee69f1ac3db2e0a2fd6c738d5bc9e7b8cf20b0753a4761d3981b249fc0b3dc
-
Filesize
709KB
MD5fdcc95209293a615b34f39d0d73c918c
SHA199ccf2ad620958e462fbaa0c85bc7c164868d94f
SHA25629f396bcbe6f7ab4e5cbab989d5cd9bd35d25dd93d528410f165445c64344591
SHA5124fa808afeadc426ee3364d92e0a37fbd69589113cd7cb86b350c308261161803b4b81b275dfb8830e8d7792091a4352b6e4f3b0d2a6711ad6f51a5bc07d1c103
-
Filesize
709KB
MD5fdcc95209293a615b34f39d0d73c918c
SHA199ccf2ad620958e462fbaa0c85bc7c164868d94f
SHA25629f396bcbe6f7ab4e5cbab989d5cd9bd35d25dd93d528410f165445c64344591
SHA5124fa808afeadc426ee3364d92e0a37fbd69589113cd7cb86b350c308261161803b4b81b275dfb8830e8d7792091a4352b6e4f3b0d2a6711ad6f51a5bc07d1c103
-
Filesize
136KB
MD5359db2338ae0f977dcf10e90cf9816fb
SHA194126cb670e5f434e555c991c967e0ee98fae552
SHA2565f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc
SHA512d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc
-
Filesize
136KB
MD5359db2338ae0f977dcf10e90cf9816fb
SHA194126cb670e5f434e555c991c967e0ee98fae552
SHA2565f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc
SHA512d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc
-
Filesize
555KB
MD57ceca6c48074a416e7d8260ae1f93e8e
SHA12084fcdb7ac097a2958562fda3dbbf0b31e8a86e
SHA256f5acfc9806f57e3219569084b7543b0d6e5a8ed534b4c1ce24d54bb43112fce2
SHA512ca5866919451e486889bb52e331b7c8a76be25d3e5f03ad3360fa833eb3463bce3266243ae982aee1d3a48015e7bb41e607212795d623055242cb42c209a2dcc
-
Filesize
555KB
MD57ceca6c48074a416e7d8260ae1f93e8e
SHA12084fcdb7ac097a2958562fda3dbbf0b31e8a86e
SHA256f5acfc9806f57e3219569084b7543b0d6e5a8ed534b4c1ce24d54bb43112fce2
SHA512ca5866919451e486889bb52e331b7c8a76be25d3e5f03ad3360fa833eb3463bce3266243ae982aee1d3a48015e7bb41e607212795d623055242cb42c209a2dcc
-
Filesize
255KB
MD50e4d4b68212db5b384b4b353a7fd0c8b
SHA1bd5902a1538113176402888cdf905a32c233a925
SHA256435bb68973557574c018c68a35361ab1e9a1c5a0c0d9ec674666dcb5caa1f96a
SHA512bc96f543e19e3ae5751df616f2a4189ec7599ab1776bc01be070f75fb7316df6cdbb20bc8e15dfc397ba40a8d79b59d3aedd1a57a3ec0eb234ba4c6511f5c98a
-
Filesize
255KB
MD50e4d4b68212db5b384b4b353a7fd0c8b
SHA1bd5902a1538113176402888cdf905a32c233a925
SHA256435bb68973557574c018c68a35361ab1e9a1c5a0c0d9ec674666dcb5caa1f96a
SHA512bc96f543e19e3ae5751df616f2a4189ec7599ab1776bc01be070f75fb7316df6cdbb20bc8e15dfc397ba40a8d79b59d3aedd1a57a3ec0eb234ba4c6511f5c98a
-
Filesize
337KB
MD5b870ed1cfe52b1c09ce69600bea0f265
SHA1abfb1c72fb8aee6bc1402472f6c50cc033877b27
SHA25614f6b60e2d0f1179d1ecbb33effc00c50072ac6428cabf8638b152b872958a41
SHA5121a0e302dae1fa864df96e8225798cc22ecdd0fc1b9d6beed5f71b0fcf9d01ad9e69bda11b8b7dfaebe2496df7c463d9da26fae5038b57f5c1141b191c8941889
-
Filesize
337KB
MD5b870ed1cfe52b1c09ce69600bea0f265
SHA1abfb1c72fb8aee6bc1402472f6c50cc033877b27
SHA25614f6b60e2d0f1179d1ecbb33effc00c50072ac6428cabf8638b152b872958a41
SHA5121a0e302dae1fa864df96e8225798cc22ecdd0fc1b9d6beed5f71b0fcf9d01ad9e69bda11b8b7dfaebe2496df7c463d9da26fae5038b57f5c1141b191c8941889