Analysis
-
max time kernel
55s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 23:41
Static task
static1
General
-
Target
0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe
-
Size
563KB
-
MD5
7a1b38990cccbcfad7aad2d07c9dffad
-
SHA1
2b9e5be814113b9eff1c6ee097a5484adbe49087
-
SHA256
0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb
-
SHA512
329eddfea17fcaa9127a5b0a9e52ecae30ec4b725ac49cc4a827f49fa816784d14d9e9acbdc6fa0e3a257c026a20334bac56e1925c092f87166d621b545857c3
-
SSDEEP
12288:Ly90Mh7xzpoFmogjN2UlopluIxUz509PgnM6iD5ZwhU70+2:LypdzS9gx2UCpRAi9PQBE5ZA
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it571856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it571856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it571856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it571856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it571856.exe -
Executes dropped EXE 4 IoCs
pid Process 2448 zihA1445.exe 2576 it571856.exe 2692 kp795467.exe 3460 lr455402.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it571856.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zihA1445.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zihA1445.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2576 it571856.exe 2576 it571856.exe 2692 kp795467.exe 2692 kp795467.exe 3460 lr455402.exe 3460 lr455402.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2576 it571856.exe Token: SeDebugPrivilege 2692 kp795467.exe Token: SeDebugPrivilege 3460 lr455402.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2448 1568 0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe 66 PID 1568 wrote to memory of 2448 1568 0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe 66 PID 1568 wrote to memory of 2448 1568 0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe 66 PID 2448 wrote to memory of 2576 2448 zihA1445.exe 67 PID 2448 wrote to memory of 2576 2448 zihA1445.exe 67 PID 2448 wrote to memory of 2692 2448 zihA1445.exe 68 PID 2448 wrote to memory of 2692 2448 zihA1445.exe 68 PID 2448 wrote to memory of 2692 2448 zihA1445.exe 68 PID 1568 wrote to memory of 3460 1568 0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe 70 PID 1568 wrote to memory of 3460 1568 0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe 70 PID 1568 wrote to memory of 3460 1568 0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe"C:\Users\Admin\AppData\Local\Temp\0a45fdab6b1e1e136a9e6c5be1a7b529798e756cbe93f51944907c75a74404bb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihA1445.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihA1445.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it571856.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it571856.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp795467.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp795467.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr455402.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr455402.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
409KB
MD562b94c5cae4c62a42f687463c0916616
SHA111ca985366c3312b71e9fa56b434a5bb4b6915d0
SHA2569dc20260e48dfafce7bc8d4e740c4a6e6bbc96923c3ce2ba19660897b3adfbaf
SHA512370fff442232c4ab5aa307f0b25688390e515c22f7b0f272212d88378d428613e0efc37ac2972dfdd08c8eb81bfafafee377d7763df66bce6e5f13b8fc67789b
-
Filesize
409KB
MD562b94c5cae4c62a42f687463c0916616
SHA111ca985366c3312b71e9fa56b434a5bb4b6915d0
SHA2569dc20260e48dfafce7bc8d4e740c4a6e6bbc96923c3ce2ba19660897b3adfbaf
SHA512370fff442232c4ab5aa307f0b25688390e515c22f7b0f272212d88378d428613e0efc37ac2972dfdd08c8eb81bfafafee377d7763df66bce6e5f13b8fc67789b
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD5d44070a3fe1878bce68d9b50c14059ef
SHA166214b568d37445c2eb43e54749a57809e2b0940
SHA256a8ca4b3ce96ae7120b91c94ac91cdb5213d861f4b2f840b138d3c40cd0c99336
SHA5126b5b6d657adee7ffc9589981bc3445350044e2c65f8056ee724644fcfe5bd86fd936957397a828ce743b652103e989e6ce50ad14cec50230eccd594a6ce52546
-
Filesize
361KB
MD5d44070a3fe1878bce68d9b50c14059ef
SHA166214b568d37445c2eb43e54749a57809e2b0940
SHA256a8ca4b3ce96ae7120b91c94ac91cdb5213d861f4b2f840b138d3c40cd0c99336
SHA5126b5b6d657adee7ffc9589981bc3445350044e2c65f8056ee724644fcfe5bd86fd936957397a828ce743b652103e989e6ce50ad14cec50230eccd594a6ce52546