Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:40
Static task
static1
General
-
Target
0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe
-
Size
704KB
-
MD5
d32401f66d44f8b74d34e3b186960958
-
SHA1
46174e2c1da08d6a292aa1ec8d30d0fa7eb61479
-
SHA256
0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486
-
SHA512
cd9327f9c57a9fad6f093b2e6a9edd6831337a7170a428a114f8f26761ab36b4eb3298c7129bb22eb273520250eb75b695110eece49f67f667e1309aeedf127f
-
SSDEEP
12288:Dy90nd8NuNe6/35x5D2966rHxVswk43DI1ozCyeIzOMy2/K5xD1Ar:DyKK0NN5xdArHD9X3u07eIqVBD1Ar
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr654625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr654625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr654625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr654625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr654625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr654625.exe -
Executes dropped EXE 4 IoCs
pid Process 4808 un540130.exe 2036 pr654625.exe 3836 qu494956.exe 740 si272452.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr654625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr654625.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un540130.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un540130.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2764 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4624 2036 WerFault.exe 84 2040 3836 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2036 pr654625.exe 2036 pr654625.exe 3836 qu494956.exe 3836 qu494956.exe 740 si272452.exe 740 si272452.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2036 pr654625.exe Token: SeDebugPrivilege 3836 qu494956.exe Token: SeDebugPrivilege 740 si272452.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1612 wrote to memory of 4808 1612 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe 83 PID 1612 wrote to memory of 4808 1612 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe 83 PID 1612 wrote to memory of 4808 1612 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe 83 PID 4808 wrote to memory of 2036 4808 un540130.exe 84 PID 4808 wrote to memory of 2036 4808 un540130.exe 84 PID 4808 wrote to memory of 2036 4808 un540130.exe 84 PID 4808 wrote to memory of 3836 4808 un540130.exe 90 PID 4808 wrote to memory of 3836 4808 un540130.exe 90 PID 4808 wrote to memory of 3836 4808 un540130.exe 90 PID 1612 wrote to memory of 740 1612 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe 93 PID 1612 wrote to memory of 740 1612 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe 93 PID 1612 wrote to memory of 740 1612 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe"C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 10804⤵
- Program crash
PID:4624
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 13444⤵
- Program crash
PID:2040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2036 -ip 20361⤵PID:2040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3836 -ip 38361⤵PID:4608
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
550KB
MD53716070e9cf82b326e533cb2b251ae06
SHA10cb712593323fca6d0637028629c9104e179eb0b
SHA2560e00246e7fbc2943d3895655ed324d8b1c64002eec03494bef9b779acf5b03cb
SHA51252a831d50ec46e504da4a7c74b84464ed6698c2271e5266e19e37c68d8277351639777795cfbbe26fe6f37fe65d7fb3a07959385136a81138ccc88ceffab6a5c
-
Filesize
550KB
MD53716070e9cf82b326e533cb2b251ae06
SHA10cb712593323fca6d0637028629c9104e179eb0b
SHA2560e00246e7fbc2943d3895655ed324d8b1c64002eec03494bef9b779acf5b03cb
SHA51252a831d50ec46e504da4a7c74b84464ed6698c2271e5266e19e37c68d8277351639777795cfbbe26fe6f37fe65d7fb3a07959385136a81138ccc88ceffab6a5c
-
Filesize
278KB
MD511e72c2a4887cd2e6f90623db124f4dc
SHA168b89e8ad8859959ffe8c9f06134b623d340f9cb
SHA2562bd8922b86b99725d39f2b0c9411656306a0589f534000b6c663cb719480d96f
SHA5123baffcc65815baaaa24c0444406111f6a4f4e55b2eb626254485083e804980a33c3582017b2124136d5212214d67ef51edd4c015ff6b98b65ae05931b431a7e3
-
Filesize
278KB
MD511e72c2a4887cd2e6f90623db124f4dc
SHA168b89e8ad8859959ffe8c9f06134b623d340f9cb
SHA2562bd8922b86b99725d39f2b0c9411656306a0589f534000b6c663cb719480d96f
SHA5123baffcc65815baaaa24c0444406111f6a4f4e55b2eb626254485083e804980a33c3582017b2124136d5212214d67ef51edd4c015ff6b98b65ae05931b431a7e3
-
Filesize
361KB
MD5eadd8ff67f7fd246be33d6a1a5cedbc8
SHA1946299436c436942683bf78b6e2a45098077411e
SHA2567a5278fb7f31f95af5a0cd775707fbcb6b6dd61b915405a996127643d5892af5
SHA512c28fce2a0833fe3cea3dca39ab0e0a1ba9b10dc41f6f1343187fd50b7d799aac491b8884b75ae25d36a0f258c02dfacbb00d8e4931f77356a622036ed2aaf073
-
Filesize
361KB
MD5eadd8ff67f7fd246be33d6a1a5cedbc8
SHA1946299436c436942683bf78b6e2a45098077411e
SHA2567a5278fb7f31f95af5a0cd775707fbcb6b6dd61b915405a996127643d5892af5
SHA512c28fce2a0833fe3cea3dca39ab0e0a1ba9b10dc41f6f1343187fd50b7d799aac491b8884b75ae25d36a0f258c02dfacbb00d8e4931f77356a622036ed2aaf073