Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
21/04/2023, 22:49
Static task
static1
General
-
Target
664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe
-
Size
806KB
-
MD5
ad9b42233d4e152cf144e3941d2cd096
-
SHA1
1f86245dca4705d573a07fb522815c8ecf5c0e96
-
SHA256
664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf
-
SHA512
3960332f690e0577950776a87898b1abe82b6073a2230a29b6222a12251fc37608b965607cad827f4af2015ccabcee432be8d243dea670886ce8a3fb85158a75
-
SSDEEP
24576:kyAKkFb6nnu/91ppzZp+PFKBZjHcbeFZWm:zApFT1ppFpPSMW
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it204512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it204512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it204512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it204512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it204512.exe -
Executes dropped EXE 6 IoCs
pid Process 2600 ziXq7943.exe 3896 ziJS5921.exe 4064 it204512.exe 3876 jr713105.exe 2268 kp345543.exe 2452 lr606246.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it204512.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziXq7943.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziXq7943.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziJS5921.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziJS5921.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3996 2452 WerFault.exe 72 3980 2452 WerFault.exe 72 4504 2452 WerFault.exe 72 2476 2452 WerFault.exe 72 3740 2452 WerFault.exe 72 4780 2452 WerFault.exe 72 1456 2452 WerFault.exe 72 2228 2452 WerFault.exe 72 3632 2452 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4064 it204512.exe 4064 it204512.exe 3876 jr713105.exe 3876 jr713105.exe 2268 kp345543.exe 2268 kp345543.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4064 it204512.exe Token: SeDebugPrivilege 3876 jr713105.exe Token: SeDebugPrivilege 2268 kp345543.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2600 2408 664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe 66 PID 2408 wrote to memory of 2600 2408 664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe 66 PID 2408 wrote to memory of 2600 2408 664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe 66 PID 2600 wrote to memory of 3896 2600 ziXq7943.exe 67 PID 2600 wrote to memory of 3896 2600 ziXq7943.exe 67 PID 2600 wrote to memory of 3896 2600 ziXq7943.exe 67 PID 3896 wrote to memory of 4064 3896 ziJS5921.exe 68 PID 3896 wrote to memory of 4064 3896 ziJS5921.exe 68 PID 3896 wrote to memory of 3876 3896 ziJS5921.exe 69 PID 3896 wrote to memory of 3876 3896 ziJS5921.exe 69 PID 3896 wrote to memory of 3876 3896 ziJS5921.exe 69 PID 2600 wrote to memory of 2268 2600 ziXq7943.exe 71 PID 2600 wrote to memory of 2268 2600 ziXq7943.exe 71 PID 2600 wrote to memory of 2268 2600 ziXq7943.exe 71 PID 2408 wrote to memory of 2452 2408 664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe 72 PID 2408 wrote to memory of 2452 2408 664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe 72 PID 2408 wrote to memory of 2452 2408 664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe"C:\Users\Admin\AppData\Local\Temp\664041ba758a1f80a40a6077af6578172c7655f9e30140c43198e6992070eeaf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXq7943.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXq7943.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJS5921.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJS5921.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it204512.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it204512.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr713105.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr713105.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp345543.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp345543.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr606246.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr606246.exe2⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 6163⤵
- Program crash
PID:3996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 6963⤵
- Program crash
PID:3980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 8363⤵
- Program crash
PID:4504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 8163⤵
- Program crash
PID:2476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 8803⤵
- Program crash
PID:3740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 9203⤵
- Program crash
PID:4780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 11163⤵
- Program crash
PID:1456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 11483⤵
- Program crash
PID:2228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 11563⤵
- Program crash
PID:3632
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD57695737d1ddc4f1667c99caf95c57556
SHA113afd9f9466fafa9b2e1b279ce041be4c1380bba
SHA2566d79e61029a0dc43af49554228f0713ee34e40a6ba0a9cf3e0c2a0b80cee7f50
SHA5122c3d9ed4e7dee9dfd7bb90f0d09f1f9a5a603cc4028256dce9690d99ec837d7fcb75ff8e53e43a9c1713a59ce3cd3133d9fe86f6b95861fd61d48f61d6a29592
-
Filesize
256KB
MD57695737d1ddc4f1667c99caf95c57556
SHA113afd9f9466fafa9b2e1b279ce041be4c1380bba
SHA2566d79e61029a0dc43af49554228f0713ee34e40a6ba0a9cf3e0c2a0b80cee7f50
SHA5122c3d9ed4e7dee9dfd7bb90f0d09f1f9a5a603cc4028256dce9690d99ec837d7fcb75ff8e53e43a9c1713a59ce3cd3133d9fe86f6b95861fd61d48f61d6a29592
-
Filesize
558KB
MD51d09d7bca9e0df6e8416a32ff6b7cfd3
SHA1ce2fb9577fb1033a760aace3e8ddf9bc6820fd70
SHA256c4784412d403037deb7c954815e1de5df87e6c33b0a370651700f0de699a5e59
SHA51254100587e3519a59e23e684c389480cdca4c47ab763c2bd4e806e6dbe080a817858960b8438e048bd98a0c39856ef01ce306ee009a52a5cddf2b90f738afde23
-
Filesize
558KB
MD51d09d7bca9e0df6e8416a32ff6b7cfd3
SHA1ce2fb9577fb1033a760aace3e8ddf9bc6820fd70
SHA256c4784412d403037deb7c954815e1de5df87e6c33b0a370651700f0de699a5e59
SHA51254100587e3519a59e23e684c389480cdca4c47ab763c2bd4e806e6dbe080a817858960b8438e048bd98a0c39856ef01ce306ee009a52a5cddf2b90f738afde23
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
404KB
MD54b26de7864a0129bb92e7758a09799ff
SHA156bc57abd976f49f5e2a108a99be81e9b8e531ae
SHA2569f5d5036524914a3c85fc455af65e3cfc3c3229e1d109882ac038b8fdd20413e
SHA512b440dffac2037a312f1b2bcab53903ebc8013d4b047cd5c0d8bf5eaed47552f4a8ce2320c2265e0dcc74528c249fa87eecaa2ade81803ea73c968172a96460eb
-
Filesize
404KB
MD54b26de7864a0129bb92e7758a09799ff
SHA156bc57abd976f49f5e2a108a99be81e9b8e531ae
SHA2569f5d5036524914a3c85fc455af65e3cfc3c3229e1d109882ac038b8fdd20413e
SHA512b440dffac2037a312f1b2bcab53903ebc8013d4b047cd5c0d8bf5eaed47552f4a8ce2320c2265e0dcc74528c249fa87eecaa2ade81803ea73c968172a96460eb
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD5b0a2fda0ab20644bcd945e8ffd580996
SHA124b422ff87f8be406af3f4266a70c4639aa8c709
SHA25642f184fbeb861c4ee18f8468fc9faa90fe84a3ae041c4c79af6d0bd6fc82b30c
SHA5129431da567af64385247fd227907bed74893745d8b824ff83d004359c594b3db59974618896f420bb76677b302a2935f8c4a7b3aac87f835d3519cd54af869bf9
-
Filesize
360KB
MD5b0a2fda0ab20644bcd945e8ffd580996
SHA124b422ff87f8be406af3f4266a70c4639aa8c709
SHA25642f184fbeb861c4ee18f8468fc9faa90fe84a3ae041c4c79af6d0bd6fc82b30c
SHA5129431da567af64385247fd227907bed74893745d8b824ff83d004359c594b3db59974618896f420bb76677b302a2935f8c4a7b3aac87f835d3519cd54af869bf9