Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
21/04/2023, 16:50
Static task
static1
General
-
Target
033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe
-
Size
808KB
-
MD5
03813a80e0f840b1d5c5623b917b0fdb
-
SHA1
5f3890ebdd0f203a1d00df6416acf7daf4c852fb
-
SHA256
033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac
-
SHA512
41ca3835d6d479050910fdb892539dcbdc6898374dcb0a14bdaa969c8d4d6693edb2523a802ad10ecdbb3d3cd92a94f5b86b2744395cdb3b03db585ce54befd7
-
SSDEEP
12288:Sy90204lg2J2FyH44i9rt9oNECWWcbwSmUwEdqNAf/otd2bQTkLwyrKZeWiWf:Sy+5O4B9jSE3buURMmXq2XELXf
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it414985.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it414985.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it414985.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it414985.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it414985.exe -
Executes dropped EXE 6 IoCs
pid Process 2272 zion7962.exe 2456 zigM2404.exe 2736 it414985.exe 4988 jr421986.exe 2848 kp095790.exe 1636 lr492753.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it414985.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zion7962.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zion7962.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zigM2404.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zigM2404.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
pid pid_target Process procid_target 2392 1636 WerFault.exe 72 2676 1636 WerFault.exe 72 3152 1636 WerFault.exe 72 2788 1636 WerFault.exe 72 2256 1636 WerFault.exe 72 2096 1636 WerFault.exe 72 2336 1636 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2736 it414985.exe 2736 it414985.exe 4988 jr421986.exe 4988 jr421986.exe 2848 kp095790.exe 2848 kp095790.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2736 it414985.exe Token: SeDebugPrivilege 4988 jr421986.exe Token: SeDebugPrivilege 2848 kp095790.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1560 wrote to memory of 2272 1560 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe 66 PID 1560 wrote to memory of 2272 1560 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe 66 PID 1560 wrote to memory of 2272 1560 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe 66 PID 2272 wrote to memory of 2456 2272 zion7962.exe 67 PID 2272 wrote to memory of 2456 2272 zion7962.exe 67 PID 2272 wrote to memory of 2456 2272 zion7962.exe 67 PID 2456 wrote to memory of 2736 2456 zigM2404.exe 68 PID 2456 wrote to memory of 2736 2456 zigM2404.exe 68 PID 2456 wrote to memory of 4988 2456 zigM2404.exe 69 PID 2456 wrote to memory of 4988 2456 zigM2404.exe 69 PID 2456 wrote to memory of 4988 2456 zigM2404.exe 69 PID 2272 wrote to memory of 2848 2272 zion7962.exe 71 PID 2272 wrote to memory of 2848 2272 zion7962.exe 71 PID 2272 wrote to memory of 2848 2272 zion7962.exe 71 PID 1560 wrote to memory of 1636 1560 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe 72 PID 1560 wrote to memory of 1636 1560 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe 72 PID 1560 wrote to memory of 1636 1560 033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe"C:\Users\Admin\AppData\Local\Temp\033710471b4e98293be5e8bc98ae8ef83aab7215ae63f75a6480c91e017462ac.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zion7962.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zion7962.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigM2404.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigM2404.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it414985.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it414985.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr421986.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr421986.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp095790.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp095790.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492753.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492753.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 6163⤵
- Program crash
PID:2392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 6963⤵
- Program crash
PID:2676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 8363⤵
- Program crash
PID:3152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 8843⤵
- Program crash
PID:2788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 8283⤵
- Program crash
PID:2256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 8643⤵
- Program crash
PID:2096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 10803⤵
- Program crash
PID:2336
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5f3d71c0a4e36202ae9b2fe964d418fa5
SHA1c9f0896632580ab06b88465df700eeed3a341792
SHA2563c2ba41bb6c279d5cae1988ab5005daa38aeeaac8ec5c81e2cc7b0e5195c3dbc
SHA512295bc708dfd4525a620ce207f4d8ba18b26bedd279575231608d7264596b4702a42d5fcc8fc3f47cc4ce83888cb8faa3ec05089f17452266949ee69c1a55d6a9
-
Filesize
258KB
MD5f3d71c0a4e36202ae9b2fe964d418fa5
SHA1c9f0896632580ab06b88465df700eeed3a341792
SHA2563c2ba41bb6c279d5cae1988ab5005daa38aeeaac8ec5c81e2cc7b0e5195c3dbc
SHA512295bc708dfd4525a620ce207f4d8ba18b26bedd279575231608d7264596b4702a42d5fcc8fc3f47cc4ce83888cb8faa3ec05089f17452266949ee69c1a55d6a9
-
Filesize
553KB
MD5cf234c4d39c682c8d5e8ff6894bf4bd0
SHA1c8295334240dcdc78794e5c768c4acc67c5226b1
SHA256641568d87ad85fe7c10862e1dae06d4a8ed028a177c487a9c86a9c4bac88e0e7
SHA512bc7b02a8c6b151b89b51f5aa8208c895148b5ef1f98e7fb0ed61cbc3457cd6c93955f8074055e622fae5d087a48dbf09d2213156a06455d7da0a0e7763758def
-
Filesize
553KB
MD5cf234c4d39c682c8d5e8ff6894bf4bd0
SHA1c8295334240dcdc78794e5c768c4acc67c5226b1
SHA256641568d87ad85fe7c10862e1dae06d4a8ed028a177c487a9c86a9c4bac88e0e7
SHA512bc7b02a8c6b151b89b51f5aa8208c895148b5ef1f98e7fb0ed61cbc3457cd6c93955f8074055e622fae5d087a48dbf09d2213156a06455d7da0a0e7763758def
-
Filesize
136KB
MD5e48a471cb7bc4ff6a6b32ae6d192dbbb
SHA1d38181853eccf41490641e35b9f2b13e1f6d1711
SHA256ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c
SHA512dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6
-
Filesize
136KB
MD5e48a471cb7bc4ff6a6b32ae6d192dbbb
SHA1d38181853eccf41490641e35b9f2b13e1f6d1711
SHA256ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c
SHA512dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6
-
Filesize
398KB
MD58dd21ff770f5f7f8bf7ad8dd29c1d257
SHA1fe25fa9f936224ba45ba77b2be2bd40b1d5ab43b
SHA25618a3c53454af03c61027c77b45a2066208e07d7f64baad0eea9d8f0ec10fbea6
SHA5127895c69f77067f8dd3fe7d5e3bb6c245997d134901076adc9d1a69de14f0de2ba896fea49debbf54595424de03a84463c529261e3715aaf9bdbf3d97d6d24eb4
-
Filesize
398KB
MD58dd21ff770f5f7f8bf7ad8dd29c1d257
SHA1fe25fa9f936224ba45ba77b2be2bd40b1d5ab43b
SHA25618a3c53454af03c61027c77b45a2066208e07d7f64baad0eea9d8f0ec10fbea6
SHA5127895c69f77067f8dd3fe7d5e3bb6c245997d134901076adc9d1a69de14f0de2ba896fea49debbf54595424de03a84463c529261e3715aaf9bdbf3d97d6d24eb4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
350KB
MD5a17611e842b97d54afc9a66fa7f3e5b8
SHA1b1aca6ddeba01ff00460ccd7fe8498e2b07f8daa
SHA2561e5abb18daae20255ecb11ec8fedf26cd388004811ea7bff57fef39ad38e42b9
SHA512eae74327e2de2ebb15bf712f30fafbbd76e273241d08b7d4ad0cc6b5bffc0be5ac90c9d6031fa82fe6e706bde3f43883086ef31a4ce3e40e083c2e2995a19779
-
Filesize
350KB
MD5a17611e842b97d54afc9a66fa7f3e5b8
SHA1b1aca6ddeba01ff00460ccd7fe8498e2b07f8daa
SHA2561e5abb18daae20255ecb11ec8fedf26cd388004811ea7bff57fef39ad38e42b9
SHA512eae74327e2de2ebb15bf712f30fafbbd76e273241d08b7d4ad0cc6b5bffc0be5ac90c9d6031fa82fe6e706bde3f43883086ef31a4ce3e40e083c2e2995a19779