Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2023, 05:30
Static task
static1
General
-
Target
3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe
-
Size
705KB
-
MD5
ac5eb0c24b5270a782158735dc67c3cb
-
SHA1
cede90760f6e0d2954436862c6c3fe9c2057e760
-
SHA256
3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871
-
SHA512
f41fe995bffa7dc1863787a70d77c39d3f44d65c7392372750bb57cf7ece1f13a068c6a5d57e3d711f48cf5140684580e92c1e107ec0534a1cf295c2bea66794
-
SSDEEP
12288:ky903+JevpSPHJ64BpFIpFywW3f4bEGdrOJY8c0nZZJeGcw8BBev:kyMCeBqtFekwW3fIEQrOTcM3cw8BBev
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr877760.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr877760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr877760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr877760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr877760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr877760.exe -
Executes dropped EXE 4 IoCs
pid Process 1980 un001953.exe 2616 pr877760.exe 1680 qu942735.exe 3616 si617199.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr877760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr877760.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un001953.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un001953.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2228 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1832 2616 WerFault.exe 84 4240 1680 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2616 pr877760.exe 2616 pr877760.exe 1680 qu942735.exe 1680 qu942735.exe 3616 si617199.exe 3616 si617199.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2616 pr877760.exe Token: SeDebugPrivilege 1680 qu942735.exe Token: SeDebugPrivilege 3616 si617199.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3040 wrote to memory of 1980 3040 3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe 83 PID 3040 wrote to memory of 1980 3040 3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe 83 PID 3040 wrote to memory of 1980 3040 3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe 83 PID 1980 wrote to memory of 2616 1980 un001953.exe 84 PID 1980 wrote to memory of 2616 1980 un001953.exe 84 PID 1980 wrote to memory of 2616 1980 un001953.exe 84 PID 1980 wrote to memory of 1680 1980 un001953.exe 90 PID 1980 wrote to memory of 1680 1980 un001953.exe 90 PID 1980 wrote to memory of 1680 1980 un001953.exe 90 PID 3040 wrote to memory of 3616 3040 3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe 93 PID 3040 wrote to memory of 3616 3040 3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe 93 PID 3040 wrote to memory of 3616 3040 3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe"C:\Users\Admin\AppData\Local\Temp\3b2484353421446e7077601d4480556f4070815b78ad60635f0e8e5907a0c871.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001953.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001953.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr877760.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr877760.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 10924⤵
- Program crash
PID:1832
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu942735.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu942735.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 13204⤵
- Program crash
PID:4240
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si617199.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si617199.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2616 -ip 26161⤵PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1680 -ip 16801⤵PID:3784
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
551KB
MD533936d72dea59d73294cb286b0e5c6d5
SHA138eb8a702da76f20f8f44f567d8835c82b7fac08
SHA2569c8363bc81990e3aa4e3b0e6d266d43e544392e3827944bcc35a1de4566d3ece
SHA51262d9aa6823653b872b730e995be5da31813955d5792d3d4b0573c5e061ecd9f023790ee04d8725b9b655aca1acd494e8e29fceeed2daa161a7e44483ae21ddb1
-
Filesize
551KB
MD533936d72dea59d73294cb286b0e5c6d5
SHA138eb8a702da76f20f8f44f567d8835c82b7fac08
SHA2569c8363bc81990e3aa4e3b0e6d266d43e544392e3827944bcc35a1de4566d3ece
SHA51262d9aa6823653b872b730e995be5da31813955d5792d3d4b0573c5e061ecd9f023790ee04d8725b9b655aca1acd494e8e29fceeed2daa161a7e44483ae21ddb1
-
Filesize
299KB
MD5ffa8f5acd9cde3c35a2b7930beff3ee6
SHA1cdc362724cbce5529d5a0caa3deee7a5ff6d9ab7
SHA25610a379d5866973eac7e31dfdc280b4cae44e7d2a0281f8b256a78c762154ef0f
SHA5124a5e3589c6467168be4284f7d937ad76f3fe2f418126168f5cfdb3ff43f14f86ad068720489e87758f8a2638ca3d1cc8e913b1dbf50f2c60aa78bbf979501dd9
-
Filesize
299KB
MD5ffa8f5acd9cde3c35a2b7930beff3ee6
SHA1cdc362724cbce5529d5a0caa3deee7a5ff6d9ab7
SHA25610a379d5866973eac7e31dfdc280b4cae44e7d2a0281f8b256a78c762154ef0f
SHA5124a5e3589c6467168be4284f7d937ad76f3fe2f418126168f5cfdb3ff43f14f86ad068720489e87758f8a2638ca3d1cc8e913b1dbf50f2c60aa78bbf979501dd9
-
Filesize
382KB
MD53b18c549ea901622edc9eec1a3fd7b15
SHA1a776d49e702752d9f53d27f978737796f01eade8
SHA25648c5ccae3a816ac9960a3db46a4ca44dc172a535e8f312f882eac2fe1a3a05b5
SHA5122aab61d9b493b7f4881b45f0a1a7ce3dfe833168f0261256ad6c70c339c2de6f9b83afe56d484930a7ed318cdea24cb79247cd3637282e61494c271a86b07ffc
-
Filesize
382KB
MD53b18c549ea901622edc9eec1a3fd7b15
SHA1a776d49e702752d9f53d27f978737796f01eade8
SHA25648c5ccae3a816ac9960a3db46a4ca44dc172a535e8f312f882eac2fe1a3a05b5
SHA5122aab61d9b493b7f4881b45f0a1a7ce3dfe833168f0261256ad6c70c339c2de6f9b83afe56d484930a7ed318cdea24cb79247cd3637282e61494c271a86b07ffc