Analysis
-
max time kernel
85s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:40
Static task
static1
General
-
Target
038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe
-
Size
564KB
-
MD5
1c6acdb718917fabd9f75705b2cc3581
-
SHA1
ae3ef9f8224028ee9706e926534e73fcf22e3a9a
-
SHA256
038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d
-
SHA512
ad0d6eb710b924a9fe28c00f9a3b4eb20d79255e5522b903168e1219b61ed1d0a2bf943496be7867a78a9891708d345f8f17d86dabab22afeeb8bf29f61cc463
-
SSDEEP
12288:vy90f2UZNLHyKSVXgDUKi7foJ3ICLzN0tv0nMTJIyq6qYrx8cY:vy5YSFVXgOMzXmtv08O7nyx83
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it098433.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it098433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it098433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it098433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it098433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it098433.exe -
Executes dropped EXE 4 IoCs
pid Process 3116 ziRn2228.exe 4728 it098433.exe 3356 kp400330.exe 4132 lr230304.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it098433.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziRn2228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziRn2228.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4240 3356 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4728 it098433.exe 4728 it098433.exe 3356 kp400330.exe 3356 kp400330.exe 4132 lr230304.exe 4132 lr230304.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4728 it098433.exe Token: SeDebugPrivilege 3356 kp400330.exe Token: SeDebugPrivilege 4132 lr230304.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4932 wrote to memory of 3116 4932 038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe 84 PID 4932 wrote to memory of 3116 4932 038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe 84 PID 4932 wrote to memory of 3116 4932 038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe 84 PID 3116 wrote to memory of 4728 3116 ziRn2228.exe 85 PID 3116 wrote to memory of 4728 3116 ziRn2228.exe 85 PID 3116 wrote to memory of 3356 3116 ziRn2228.exe 90 PID 3116 wrote to memory of 3356 3116 ziRn2228.exe 90 PID 3116 wrote to memory of 3356 3116 ziRn2228.exe 90 PID 4932 wrote to memory of 4132 4932 038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe 96 PID 4932 wrote to memory of 4132 4932 038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe 96 PID 4932 wrote to memory of 4132 4932 038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe"C:\Users\Admin\AppData\Local\Temp\038ec5eac8312f688db094973f6d872ad32a9a63124db6b2259131060ca5d81d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRn2228.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRn2228.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it098433.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it098433.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp400330.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp400330.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 17124⤵
- Program crash
PID:4240
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr230304.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr230304.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3356 -ip 33561⤵PID:4536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
409KB
MD5efa3c5d886cd92ea6fc044d3240e40ec
SHA14fcb13914a076764833b61bf1ad3e87c68a574ac
SHA2566cf71391fa90668ab30d28cba157eb30dbe0a4faaeb7d256c027360f20b1d55e
SHA5124607c42356950a98bf8c8c44dd3555ace67f7f476ef01c353fd258ba481060eaf09d0e01cd21662727de13eaf604f138f6b30086bf3b2201d1a3b821053c572d
-
Filesize
409KB
MD5efa3c5d886cd92ea6fc044d3240e40ec
SHA14fcb13914a076764833b61bf1ad3e87c68a574ac
SHA2566cf71391fa90668ab30d28cba157eb30dbe0a4faaeb7d256c027360f20b1d55e
SHA5124607c42356950a98bf8c8c44dd3555ace67f7f476ef01c353fd258ba481060eaf09d0e01cd21662727de13eaf604f138f6b30086bf3b2201d1a3b821053c572d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD588344677faee2a6e862b820c3963297f
SHA1d6f547c93a5f2aa6231649f9a44d5d3e3decab30
SHA25602022aecd1a1b1359bfe126a620172d2ee648df92f11a4ab1ef51d9edf918719
SHA512d2e4e2ee1c8ad424a89584ad249727eb4796e0f27587a34b09f6606b81ade18c1376c6aaf8c06d3a764c0e1f8bf33553808804665ef7008669925ee3b342e9b6
-
Filesize
361KB
MD588344677faee2a6e862b820c3963297f
SHA1d6f547c93a5f2aa6231649f9a44d5d3e3decab30
SHA25602022aecd1a1b1359bfe126a620172d2ee648df92f11a4ab1ef51d9edf918719
SHA512d2e4e2ee1c8ad424a89584ad249727eb4796e0f27587a34b09f6606b81ade18c1376c6aaf8c06d3a764c0e1f8bf33553808804665ef7008669925ee3b342e9b6