Analysis
-
max time kernel
97s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2023, 23:38
Static task
static1
General
-
Target
257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe
-
Size
695KB
-
MD5
4d9d733d28de3349dd70af9f0705c2e9
-
SHA1
621e761f815ff78609becfb3b62d87e8c761ec5d
-
SHA256
257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6
-
SHA512
f86c71a2e4357a7cf49a9465c7b49d022d359db8a1e53324be34e76b33885a2cd81efd195a1367cd4c135de08df4fe092ae69bf77dcbf90a2f4d597be7be775b
-
SSDEEP
12288:Hy90iBhxGB+g3QWdkOXromsxxECaFKCuYeHcYZxQQJb/iB04GXm:HyHT1W+OsH7ECaXuYQYcuoW
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr453687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr453687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr453687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr453687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr453687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr453687.exe -
Executes dropped EXE 4 IoCs
pid Process 1008 un739030.exe 4756 pr453687.exe 2508 qu349075.exe 2972 si840687.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr453687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr453687.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un739030.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un739030.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3316 4756 WerFault.exe 86 444 2508 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4756 pr453687.exe 4756 pr453687.exe 2508 qu349075.exe 2508 qu349075.exe 2972 si840687.exe 2972 si840687.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4756 pr453687.exe Token: SeDebugPrivilege 2508 qu349075.exe Token: SeDebugPrivilege 2972 si840687.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4504 wrote to memory of 1008 4504 257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe 85 PID 4504 wrote to memory of 1008 4504 257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe 85 PID 4504 wrote to memory of 1008 4504 257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe 85 PID 1008 wrote to memory of 4756 1008 un739030.exe 86 PID 1008 wrote to memory of 4756 1008 un739030.exe 86 PID 1008 wrote to memory of 4756 1008 un739030.exe 86 PID 1008 wrote to memory of 2508 1008 un739030.exe 92 PID 1008 wrote to memory of 2508 1008 un739030.exe 92 PID 1008 wrote to memory of 2508 1008 un739030.exe 92 PID 4504 wrote to memory of 2972 4504 257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe 97 PID 4504 wrote to memory of 2972 4504 257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe 97 PID 4504 wrote to memory of 2972 4504 257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe"C:\Users\Admin\AppData\Local\Temp\257d2df80cb2ec8363adf2a022d3ccc0a2ca04b0c114e542292ebd8ce8de44e6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un739030.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un739030.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr453687.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr453687.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 10524⤵
- Program crash
PID:3316
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu349075.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu349075.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 13564⤵
- Program crash
PID:444
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si840687.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si840687.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4756 -ip 47561⤵PID:1744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2508 -ip 25081⤵PID:1448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
541KB
MD58ffab0b068eeeb576c3f12dcdc32efc5
SHA1c61b37d24fa23fb10aeb23393fff8b5c724c55a3
SHA256070d3e359ab99db53ae9581ca5ce7db755d846602bef7f9a574bff33a272f6d5
SHA51216baa4b8692994596e37ac093bbdb46cce67056a2969e39e1edd29c50cd506dadaa03ba02336dc064d30928b5ac43ffa8aa1029e47304ad87e9294233c492e28
-
Filesize
541KB
MD58ffab0b068eeeb576c3f12dcdc32efc5
SHA1c61b37d24fa23fb10aeb23393fff8b5c724c55a3
SHA256070d3e359ab99db53ae9581ca5ce7db755d846602bef7f9a574bff33a272f6d5
SHA51216baa4b8692994596e37ac093bbdb46cce67056a2969e39e1edd29c50cd506dadaa03ba02336dc064d30928b5ac43ffa8aa1029e47304ad87e9294233c492e28
-
Filesize
269KB
MD54f489f11ad4d417574dc1a8d7e57e1e0
SHA1efc6a096259272638fbe7e78247709accd6fa3fe
SHA2565a990f01cc8d61ea614b3c77eec22b71ca691a92b28e8bfecbe4d5f2aeb0ef17
SHA512a78918f51839cde30b63d30b4560c8c1e56b247be87964361b2c97c9aeb29f7e605cb6858336fb72554c934c4a5f346685c003053c52026fc037b8be8fe1b527
-
Filesize
269KB
MD54f489f11ad4d417574dc1a8d7e57e1e0
SHA1efc6a096259272638fbe7e78247709accd6fa3fe
SHA2565a990f01cc8d61ea614b3c77eec22b71ca691a92b28e8bfecbe4d5f2aeb0ef17
SHA512a78918f51839cde30b63d30b4560c8c1e56b247be87964361b2c97c9aeb29f7e605cb6858336fb72554c934c4a5f346685c003053c52026fc037b8be8fe1b527
-
Filesize
351KB
MD5062eca33791fb38f08560ffd48ef4f4e
SHA174e7440da48d10520f199814731d596af40239df
SHA25691cf662a032be62ecc945cd8823629b6ab6ca05ac974b20a10fe5f9c0da4e0ad
SHA5122c69d9bba9711918b3fd258d09b9083b920c3e84a0d385b7a524e5f2f691aabfa153d974a2bbb9bdb1d8cf18ce43e6d6fc57efb5b5e14917e08839c27f748159
-
Filesize
351KB
MD5062eca33791fb38f08560ffd48ef4f4e
SHA174e7440da48d10520f199814731d596af40239df
SHA25691cf662a032be62ecc945cd8823629b6ab6ca05ac974b20a10fe5f9c0da4e0ad
SHA5122c69d9bba9711918b3fd258d09b9083b920c3e84a0d385b7a524e5f2f691aabfa153d974a2bbb9bdb1d8cf18ce43e6d6fc57efb5b5e14917e08839c27f748159