Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
19/04/2023, 17:05
Static task
static1
General
-
Target
2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe
-
Size
827KB
-
MD5
eca74fed67c404f91b6677140e56b459
-
SHA1
be459c95281dd0b78f7b35b37505ca025c35e644
-
SHA256
2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74
-
SHA512
5875d3f167b51ed3b2d46ca23fd5ef7b350044dad707658a39104acb8f9967b7c151774d7209cf25b3a307b819a59ce3d813a332049f9df608b61a8a8d6e1ffc
-
SSDEEP
12288:Ly90/LgJoVrcbkK1jgkAUPe/DvJ7cacfQwZ6CwjKjhqBbL:LyymoVoIQjvAUPW17cl4wEljuqBbL
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it977421.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it977421.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it977421.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it977421.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it977421.exe -
Executes dropped EXE 6 IoCs
pid Process 3268 ziry7735.exe 2736 ziDn7386.exe 3432 it977421.exe 4180 jr344205.exe 2216 kp726064.exe 2512 lr899983.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it977421.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziry7735.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziry7735.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziDn7386.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziDn7386.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
pid pid_target Process procid_target 2940 2512 WerFault.exe 72 4064 2512 WerFault.exe 72 2592 2512 WerFault.exe 72 3424 2512 WerFault.exe 72 4948 2512 WerFault.exe 72 1704 2512 WerFault.exe 72 4008 2512 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3432 it977421.exe 3432 it977421.exe 4180 jr344205.exe 4180 jr344205.exe 2216 kp726064.exe 2216 kp726064.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3432 it977421.exe Token: SeDebugPrivilege 4180 jr344205.exe Token: SeDebugPrivilege 2216 kp726064.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4324 wrote to memory of 3268 4324 2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe 66 PID 4324 wrote to memory of 3268 4324 2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe 66 PID 4324 wrote to memory of 3268 4324 2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe 66 PID 3268 wrote to memory of 2736 3268 ziry7735.exe 67 PID 3268 wrote to memory of 2736 3268 ziry7735.exe 67 PID 3268 wrote to memory of 2736 3268 ziry7735.exe 67 PID 2736 wrote to memory of 3432 2736 ziDn7386.exe 68 PID 2736 wrote to memory of 3432 2736 ziDn7386.exe 68 PID 2736 wrote to memory of 4180 2736 ziDn7386.exe 69 PID 2736 wrote to memory of 4180 2736 ziDn7386.exe 69 PID 2736 wrote to memory of 4180 2736 ziDn7386.exe 69 PID 3268 wrote to memory of 2216 3268 ziry7735.exe 71 PID 3268 wrote to memory of 2216 3268 ziry7735.exe 71 PID 3268 wrote to memory of 2216 3268 ziry7735.exe 71 PID 4324 wrote to memory of 2512 4324 2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe 72 PID 4324 wrote to memory of 2512 4324 2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe 72 PID 4324 wrote to memory of 2512 4324 2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe"C:\Users\Admin\AppData\Local\Temp\2e98b642c968557ef1f7d0d544c4d50238ea8d251d9a9d786f093536cd3e0b74.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry7735.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry7735.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDn7386.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDn7386.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it977421.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it977421.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr344205.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr344205.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp726064.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp726064.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr899983.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr899983.exe2⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 2123⤵
- Program crash
PID:2940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 6963⤵
- Program crash
PID:4064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 7683⤵
- Program crash
PID:2592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 8443⤵
- Program crash
PID:3424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 8723⤵
- Program crash
PID:4948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 8923⤵
- Program crash
PID:1704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 10803⤵
- Program crash
PID:4008
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5dc97786ccf6b509fa354e925d4494ba8
SHA1f9de77afa22cfe23836b3f0762eb2e33340c6e7c
SHA2564ba0b96c612eb0ce414699667ef729213213a95695e80dbdca7d5f46863ecccd
SHA51269f884157d323352de4af5f2b5e01593125e76aef0e775777da61d4eddb4e62c81a7f00174c4da289a0c03c5e7b1cb06b8013137a6545193bd99087cf46cbd04
-
Filesize
255KB
MD5dc97786ccf6b509fa354e925d4494ba8
SHA1f9de77afa22cfe23836b3f0762eb2e33340c6e7c
SHA2564ba0b96c612eb0ce414699667ef729213213a95695e80dbdca7d5f46863ecccd
SHA51269f884157d323352de4af5f2b5e01593125e76aef0e775777da61d4eddb4e62c81a7f00174c4da289a0c03c5e7b1cb06b8013137a6545193bd99087cf46cbd04
-
Filesize
568KB
MD5fc2ec75382e36e0c4cb1374b123b53c4
SHA17115d43f7bf16af64733c604202080ee20ff84c0
SHA256a81945181aa46d3b55be44b12e4a0d4d0a4c015bdaeb7b4cf45de6887e606547
SHA512b9a2e90188d4a5236008a8ab5d38ee0efdb66d26b527d8e484ecf5ab8edbef212d1eb428d7f791515a787b6d021242fba87c75732e6f80c627236b189ee9171a
-
Filesize
568KB
MD5fc2ec75382e36e0c4cb1374b123b53c4
SHA17115d43f7bf16af64733c604202080ee20ff84c0
SHA256a81945181aa46d3b55be44b12e4a0d4d0a4c015bdaeb7b4cf45de6887e606547
SHA512b9a2e90188d4a5236008a8ab5d38ee0efdb66d26b527d8e484ecf5ab8edbef212d1eb428d7f791515a787b6d021242fba87c75732e6f80c627236b189ee9171a
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
414KB
MD59317fcba0608d5c2f305de9571624a8f
SHA13a4049c334f00d586c8ac7c6f831de85d3ceac3a
SHA256a5726ccbcb0e34c5fcd4c04da4bd71123feb3c479c7b32ab97e56797b560ea98
SHA51240c9956ce171dbf1a603cbb62b2992679796b252fd51a072c0c96aee838e74aca12fc7f56d1b9859602edaec8c3ab9f8d04366f7ee2ee60df2322335c3e58469
-
Filesize
414KB
MD59317fcba0608d5c2f305de9571624a8f
SHA13a4049c334f00d586c8ac7c6f831de85d3ceac3a
SHA256a5726ccbcb0e34c5fcd4c04da4bd71123feb3c479c7b32ab97e56797b560ea98
SHA51240c9956ce171dbf1a603cbb62b2992679796b252fd51a072c0c96aee838e74aca12fc7f56d1b9859602edaec8c3ab9f8d04366f7ee2ee60df2322335c3e58469
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
359KB
MD534ec028ae2db163bc43f8035350c4f5d
SHA13167f6654c514a8b4f1049860669a6061532579d
SHA2563526b898171aa116909343b6aa1ad90cd5386c95322b22ae678a0e3ebd15396d
SHA5120d3c88bd03a6ad57da7c554403d5a0268edd1d3d10e79790157bf279a66e47bbf1e538187daf7b9b849449290868930d5dc35c106ceaa6959029a998475f1a74
-
Filesize
359KB
MD534ec028ae2db163bc43f8035350c4f5d
SHA13167f6654c514a8b4f1049860669a6061532579d
SHA2563526b898171aa116909343b6aa1ad90cd5386c95322b22ae678a0e3ebd15396d
SHA5120d3c88bd03a6ad57da7c554403d5a0268edd1d3d10e79790157bf279a66e47bbf1e538187daf7b9b849449290868930d5dc35c106ceaa6959029a998475f1a74