Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
20/04/2023, 23:28
Static task
static1
General
-
Target
b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe
-
Size
920KB
-
MD5
a3f0b6d0e55179bcef554f2e5295f332
-
SHA1
550fd9f3e85ce06bb96f6003c356553da9a9d6fd
-
SHA256
b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123
-
SHA512
46b38ac8973d12c73f328a22954c85858b86815857e1b1ea298311fc761b4414c091e3e3c1bc1ad55f4fd537f9016248802cd099d17c56f933a2069095508f63
-
SSDEEP
24576:myJ7rPvW+id/Z4DOlK2OaTK4Atm7uBYIaX9u:1J7Lzid/Z5vuqIo9
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it658394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it658394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it658394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it658394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it658394.exe -
Executes dropped EXE 6 IoCs
pid Process 3548 zidD3943.exe 2348 ziyF7992.exe 5108 it658394.exe 4916 jr154519.exe 2164 kp830302.exe 2528 lr969360.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it658394.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zidD3943.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zidD3943.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziyF7992.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziyF7992.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3588 2528 WerFault.exe 72 2368 2528 WerFault.exe 72 5100 2528 WerFault.exe 72 4920 2528 WerFault.exe 72 4232 2528 WerFault.exe 72 4248 2528 WerFault.exe 72 304 2528 WerFault.exe 72 3956 2528 WerFault.exe 72 1472 2528 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5108 it658394.exe 5108 it658394.exe 4916 jr154519.exe 4916 jr154519.exe 2164 kp830302.exe 2164 kp830302.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5108 it658394.exe Token: SeDebugPrivilege 4916 jr154519.exe Token: SeDebugPrivilege 2164 kp830302.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4124 wrote to memory of 3548 4124 b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe 66 PID 4124 wrote to memory of 3548 4124 b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe 66 PID 4124 wrote to memory of 3548 4124 b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe 66 PID 3548 wrote to memory of 2348 3548 zidD3943.exe 67 PID 3548 wrote to memory of 2348 3548 zidD3943.exe 67 PID 3548 wrote to memory of 2348 3548 zidD3943.exe 67 PID 2348 wrote to memory of 5108 2348 ziyF7992.exe 68 PID 2348 wrote to memory of 5108 2348 ziyF7992.exe 68 PID 2348 wrote to memory of 4916 2348 ziyF7992.exe 69 PID 2348 wrote to memory of 4916 2348 ziyF7992.exe 69 PID 2348 wrote to memory of 4916 2348 ziyF7992.exe 69 PID 3548 wrote to memory of 2164 3548 zidD3943.exe 71 PID 3548 wrote to memory of 2164 3548 zidD3943.exe 71 PID 3548 wrote to memory of 2164 3548 zidD3943.exe 71 PID 4124 wrote to memory of 2528 4124 b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe 72 PID 4124 wrote to memory of 2528 4124 b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe 72 PID 4124 wrote to memory of 2528 4124 b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe"C:\Users\Admin\AppData\Local\Temp\b3e128766755a249f058b8af014edd0d63d78807642a5c6091d6e249095dc123.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidD3943.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidD3943.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziyF7992.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziyF7992.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it658394.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it658394.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr154519.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr154519.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp830302.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp830302.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr969360.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr969360.exe2⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 6163⤵
- Program crash
PID:3588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 6963⤵
- Program crash
PID:2368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 8363⤵
- Program crash
PID:5100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 6203⤵
- Program crash
PID:4920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 8643⤵
- Program crash
PID:4232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 8803⤵
- Program crash
PID:4248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 11243⤵
- Program crash
PID:304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 11443⤵
- Program crash
PID:3956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 11083⤵
- Program crash
PID:1472
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD51f2d110420136746d089248885ff7de9
SHA16018db5c1daeebe645078dd13271e3dca6d69c87
SHA256a858743e72c1d27c1cdd65c6bd2631cd71eddc72c44931d408de22c2d785b563
SHA512e9bc0b1cf3f3ab51e05e0bd067d0159a0c82fa33ff0fde8e6b1fd39cc489bb52a5385fc5f3b6855e452ad8c8d69d80385624d35466117997b5263c726f09baab
-
Filesize
367KB
MD51f2d110420136746d089248885ff7de9
SHA16018db5c1daeebe645078dd13271e3dca6d69c87
SHA256a858743e72c1d27c1cdd65c6bd2631cd71eddc72c44931d408de22c2d785b563
SHA512e9bc0b1cf3f3ab51e05e0bd067d0159a0c82fa33ff0fde8e6b1fd39cc489bb52a5385fc5f3b6855e452ad8c8d69d80385624d35466117997b5263c726f09baab
-
Filesize
616KB
MD580482c2ad303dd3a021218188e900394
SHA19778a9cf53c8b30c9371e252bb2fa97237bf3ed6
SHA256e40ae6c4f87d0f229b1239ee6ab5d6d5d6f04dcc9ee3b0350644c1018763af3e
SHA5122b7756c09d1ea93e84f79a8d4ba2583c78c9a54886b75238b7e60f8a45964b2a731ceec4aad9821711b43156f5fc4a3da18a2e1df56b28657ba1f1811ed25b63
-
Filesize
616KB
MD580482c2ad303dd3a021218188e900394
SHA19778a9cf53c8b30c9371e252bb2fa97237bf3ed6
SHA256e40ae6c4f87d0f229b1239ee6ab5d6d5d6f04dcc9ee3b0350644c1018763af3e
SHA5122b7756c09d1ea93e84f79a8d4ba2583c78c9a54886b75238b7e60f8a45964b2a731ceec4aad9821711b43156f5fc4a3da18a2e1df56b28657ba1f1811ed25b63
-
Filesize
136KB
MD5ac0ffc4fceebe7be421ae8fc8517d1bf
SHA1fa6a6f1878e561b5401ae36422add3d34cfdf6dd
SHA256fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718
SHA51223de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93
-
Filesize
136KB
MD5ac0ffc4fceebe7be421ae8fc8517d1bf
SHA1fa6a6f1878e561b5401ae36422add3d34cfdf6dd
SHA256fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718
SHA51223de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93
-
Filesize
461KB
MD53d33d8feab29ea2f6af562ddec96914b
SHA1c1a4a439b6c97e500377a63e229a5355d58af4cb
SHA25625aee678051c0e6790da4526faa63ac4f863bc5f1fecbc3caf64d7d18ffaa718
SHA5126fa046e1554f38b14bb7d02dc70d5618b0369e80f1533e5252b8f681d284da97638c8ec7b90c858517dc198c994ed44fd4b127b1cac1aef07b29c26b784d4ce6
-
Filesize
461KB
MD53d33d8feab29ea2f6af562ddec96914b
SHA1c1a4a439b6c97e500377a63e229a5355d58af4cb
SHA25625aee678051c0e6790da4526faa63ac4f863bc5f1fecbc3caf64d7d18ffaa718
SHA5126fa046e1554f38b14bb7d02dc70d5618b0369e80f1533e5252b8f681d284da97638c8ec7b90c858517dc198c994ed44fd4b127b1cac1aef07b29c26b784d4ce6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
472KB
MD5ad7cd24b375381457e12aad60b7b0357
SHA153eacffcd42f036c74b4baef177a40a4aa549b90
SHA25682865bd4c6a00175bb54c25caa14813789255e69ae4503bbf6bb78a1c0e66a7b
SHA5127e59987ec116c1122080f9120b107d2c2e600343930e7fcb1e4a6d8321b2a86ad9390f3c43552cf06aeec545d52d7dae1a2f473da0bef16fdeda43b4e641c98a
-
Filesize
472KB
MD5ad7cd24b375381457e12aad60b7b0357
SHA153eacffcd42f036c74b4baef177a40a4aa549b90
SHA25682865bd4c6a00175bb54c25caa14813789255e69ae4503bbf6bb78a1c0e66a7b
SHA5127e59987ec116c1122080f9120b107d2c2e600343930e7fcb1e4a6d8321b2a86ad9390f3c43552cf06aeec545d52d7dae1a2f473da0bef16fdeda43b4e641c98a