Analysis
-
max time kernel
141s -
max time network
98s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
21-04-2023 00:04
Static task
static1
General
-
Target
239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe
-
Size
1.0MB
-
MD5
59a38c9d61dfdf505b1db05731546959
-
SHA1
70db877d7199fb92575e9f660607818a36b02a67
-
SHA256
239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb
-
SHA512
a6544ce4cac04a5327c6fda4d37321caaa115fe7114e0f9d2e08bf8aec88286047b485c102560c09e603d1d4a6bbb60cb641b05eec40fe88ecb3ad25ab7fe4f7
-
SSDEEP
24576:WyBS3oDpEJkqN17qsOsgrKrAEZqWXKXsheS6sPPBGty4:lBS3OEZN17qpi8yqWakj8t
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr116621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr116621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr116621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr116621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr116621.exe -
Executes dropped EXE 6 IoCs
pid Process 4144 un250653.exe 4132 un277217.exe 4956 pr116621.exe 3600 qu583409.exe 3476 rk601469.exe 5036 si692141.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr116621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr116621.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un250653.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un250653.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un277217.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un277217.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3664 5036 WerFault.exe 72 3088 5036 WerFault.exe 72 1512 5036 WerFault.exe 72 2852 5036 WerFault.exe 72 2980 5036 WerFault.exe 72 3900 5036 WerFault.exe 72 4184 5036 WerFault.exe 72 2484 5036 WerFault.exe 72 4700 5036 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4956 pr116621.exe 4956 pr116621.exe 3600 qu583409.exe 3600 qu583409.exe 3476 rk601469.exe 3476 rk601469.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4956 pr116621.exe Token: SeDebugPrivilege 3600 qu583409.exe Token: SeDebugPrivilege 3476 rk601469.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3432 wrote to memory of 4144 3432 239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe 66 PID 3432 wrote to memory of 4144 3432 239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe 66 PID 3432 wrote to memory of 4144 3432 239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe 66 PID 4144 wrote to memory of 4132 4144 un250653.exe 67 PID 4144 wrote to memory of 4132 4144 un250653.exe 67 PID 4144 wrote to memory of 4132 4144 un250653.exe 67 PID 4132 wrote to memory of 4956 4132 un277217.exe 68 PID 4132 wrote to memory of 4956 4132 un277217.exe 68 PID 4132 wrote to memory of 4956 4132 un277217.exe 68 PID 4132 wrote to memory of 3600 4132 un277217.exe 69 PID 4132 wrote to memory of 3600 4132 un277217.exe 69 PID 4132 wrote to memory of 3600 4132 un277217.exe 69 PID 4144 wrote to memory of 3476 4144 un250653.exe 71 PID 4144 wrote to memory of 3476 4144 un250653.exe 71 PID 4144 wrote to memory of 3476 4144 un250653.exe 71 PID 3432 wrote to memory of 5036 3432 239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe 72 PID 3432 wrote to memory of 5036 3432 239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe 72 PID 3432 wrote to memory of 5036 3432 239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe"C:\Users\Admin\AppData\Local\Temp\239e24be8110cb529ae4e8556cd6e9e3c2b03f89ee2262a233c6934699e3b9fb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un250653.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un250653.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un277217.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un277217.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr116621.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr116621.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu583409.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu583409.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601469.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601469.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si692141.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si692141.exe2⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 6163⤵
- Program crash
PID:3664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 6963⤵
- Program crash
PID:3088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 7963⤵
- Program crash
PID:1512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 8403⤵
- Program crash
PID:2852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 8803⤵
- Program crash
PID:2980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 8563⤵
- Program crash
PID:3900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 11243⤵
- Program crash
PID:4184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 12043⤵
- Program crash
PID:2484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 11803⤵
- Program crash
PID:4700
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
370KB
MD5bb99d2b28449fd0a508c7d58762415bc
SHA14d92310992bf4070260af105b4128bd27ec4cb50
SHA256e55c6a07cd65745491c0f42ea5459890f101e6895f8e2f7e1da0ebf442dbc4d0
SHA5123a07db5fc7b5f538ae3619efb2ff987ddcf40f2199eeded69ca60bc84ee7f6f338be4827b4f7c7e3f77f992af6f16e2d78be66b00a4ed1c5c2f6bd41f1f64aa4
-
Filesize
370KB
MD5bb99d2b28449fd0a508c7d58762415bc
SHA14d92310992bf4070260af105b4128bd27ec4cb50
SHA256e55c6a07cd65745491c0f42ea5459890f101e6895f8e2f7e1da0ebf442dbc4d0
SHA5123a07db5fc7b5f538ae3619efb2ff987ddcf40f2199eeded69ca60bc84ee7f6f338be4827b4f7c7e3f77f992af6f16e2d78be66b00a4ed1c5c2f6bd41f1f64aa4
-
Filesize
752KB
MD5f969e4b5f0e6e7f80d2158b85ebcbdcd
SHA18dfdab62e9afee7d1d57144e89346e54038e73c7
SHA2563cc915ef76078a1cd47ccc0660def8623ffe3eddfa0f84147459b4d73841bd5d
SHA512d47e1869dd8ec65781f76d6f265c5d45506b32455cbe26fbeccaecceb862f3afa5feff3f2cca2831ae0f06c702081ef10ef286952f05f17f64d8a9be67883c67
-
Filesize
752KB
MD5f969e4b5f0e6e7f80d2158b85ebcbdcd
SHA18dfdab62e9afee7d1d57144e89346e54038e73c7
SHA2563cc915ef76078a1cd47ccc0660def8623ffe3eddfa0f84147459b4d73841bd5d
SHA512d47e1869dd8ec65781f76d6f265c5d45506b32455cbe26fbeccaecceb862f3afa5feff3f2cca2831ae0f06c702081ef10ef286952f05f17f64d8a9be67883c67
-
Filesize
136KB
MD5ac0ffc4fceebe7be421ae8fc8517d1bf
SHA1fa6a6f1878e561b5401ae36422add3d34cfdf6dd
SHA256fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718
SHA51223de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93
-
Filesize
136KB
MD5ac0ffc4fceebe7be421ae8fc8517d1bf
SHA1fa6a6f1878e561b5401ae36422add3d34cfdf6dd
SHA256fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718
SHA51223de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93
-
Filesize
597KB
MD53447b6ae491639f492a2f103b6b9fecd
SHA1a698cc582d7a312c05118ec8f589194d2d62c150
SHA2561e7bfcf9b928389aed09966f766e38791392ab07d3516aa74f016903f9b14928
SHA512cba3396539fe902283cabfe702779a60cb184098f04f1c35ac9176ec8bf628fe3e71caadcbab65099c93ee2539bba20798b19423062b80861dd9b4b12c2100ae
-
Filesize
597KB
MD53447b6ae491639f492a2f103b6b9fecd
SHA1a698cc582d7a312c05118ec8f589194d2d62c150
SHA2561e7bfcf9b928389aed09966f766e38791392ab07d3516aa74f016903f9b14928
SHA512cba3396539fe902283cabfe702779a60cb184098f04f1c35ac9176ec8bf628fe3e71caadcbab65099c93ee2539bba20798b19423062b80861dd9b4b12c2100ae
-
Filesize
391KB
MD5bc3435b2f8883fa6ae9bd29f467542da
SHA1870f2a62065ba8c2489aa27b0749689eaef1ee7b
SHA256fae48445ed01bd8277d8b5ba585e24f3974f3b705e8c5bb199cda7b388c9f5ba
SHA512f22c12e9d5f41812f803e9585882473302092306b907047342c9b900723836e26437da433ce9ef44a36b791127aba5dc4b4a6da164b53c734d85c254b63c6fca
-
Filesize
391KB
MD5bc3435b2f8883fa6ae9bd29f467542da
SHA1870f2a62065ba8c2489aa27b0749689eaef1ee7b
SHA256fae48445ed01bd8277d8b5ba585e24f3974f3b705e8c5bb199cda7b388c9f5ba
SHA512f22c12e9d5f41812f803e9585882473302092306b907047342c9b900723836e26437da433ce9ef44a36b791127aba5dc4b4a6da164b53c734d85c254b63c6fca
-
Filesize
473KB
MD56e2c3e1687cf57b27384e2f2777bc491
SHA13fe602b08bb650bfff86a1abbb0af725854670f5
SHA2561443a828145f472933fe087f82d63a0ba94cd5b43d9a70c003550b2e40e6fd61
SHA512aa3e15d5944d4b14edc9b2db80c674ea490fee44f4c7845648780353b8b99cd3b852a85501a48168bea57fb3cb75d1951fdb59bced4afb8ec08647030ef28ec9
-
Filesize
473KB
MD56e2c3e1687cf57b27384e2f2777bc491
SHA13fe602b08bb650bfff86a1abbb0af725854670f5
SHA2561443a828145f472933fe087f82d63a0ba94cd5b43d9a70c003550b2e40e6fd61
SHA512aa3e15d5944d4b14edc9b2db80c674ea490fee44f4c7845648780353b8b99cd3b852a85501a48168bea57fb3cb75d1951fdb59bced4afb8ec08647030ef28ec9