Analysis
-
max time kernel
99s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:42
Static task
static1
General
-
Target
8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe
-
Size
705KB
-
MD5
7373aeb56ab303beae28eb3241fe6f1a
-
SHA1
9affec4f9197c10a3dfbffa47c643041266e3859
-
SHA256
8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13
-
SHA512
cbf5948829bb3d4e6cfd2281f68f3a5fea2a8c7251b18257df231cf02c3b3451f9424cbb6881e53bef03da881869163b45e676c33c10abb03fbb8a953b27952d
-
SSDEEP
12288:Ry90fri7aSPUQQG95EATMK/+y2slqVcw/v/0y85eD5NTI1kzCZgIzLMjE/K1Yvp:Ry0ri7aSPOGMK//lWt/85eDP+wwgI/Ao
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr989912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr989912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr989912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr989912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr989912.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr989912.exe -
Executes dropped EXE 4 IoCs
pid Process 4368 un041039.exe 3116 pr989912.exe 4188 qu011467.exe 484 si539098.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr989912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr989912.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un041039.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un041039.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2356 3116 WerFault.exe 84 1440 4188 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3116 pr989912.exe 3116 pr989912.exe 4188 qu011467.exe 4188 qu011467.exe 484 si539098.exe 484 si539098.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3116 pr989912.exe Token: SeDebugPrivilege 4188 qu011467.exe Token: SeDebugPrivilege 484 si539098.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4628 wrote to memory of 4368 4628 8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe 83 PID 4628 wrote to memory of 4368 4628 8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe 83 PID 4628 wrote to memory of 4368 4628 8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe 83 PID 4368 wrote to memory of 3116 4368 un041039.exe 84 PID 4368 wrote to memory of 3116 4368 un041039.exe 84 PID 4368 wrote to memory of 3116 4368 un041039.exe 84 PID 4368 wrote to memory of 4188 4368 un041039.exe 90 PID 4368 wrote to memory of 4188 4368 un041039.exe 90 PID 4368 wrote to memory of 4188 4368 un041039.exe 90 PID 4628 wrote to memory of 484 4628 8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe 93 PID 4628 wrote to memory of 484 4628 8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe 93 PID 4628 wrote to memory of 484 4628 8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe"C:\Users\Admin\AppData\Local\Temp\8dfb8cf0fb9c6a3f313cf0773f3aa82111c4b71968f6861baeec3358fb203e13.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un041039.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un041039.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr989912.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr989912.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 10804⤵
- Program crash
PID:2356
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu011467.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu011467.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 19324⤵
- Program crash
PID:1440
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si539098.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si539098.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3116 -ip 31161⤵PID:3284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4188 -ip 41881⤵PID:4296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
550KB
MD5f07eeca9627268a67c74be8440b0fa5f
SHA1f81e51f016d7d79fbe70fbb5174a85028e9dd6a6
SHA256bb0bfa1c06172e145f97a7249b0a4679b56f395ebd536e062951fa8d50d59029
SHA5124be2cb6925d1ec217a15c11376079d993a02da9a8849b7760856b40f26fb4af56a16b7939a0ebb75849a848e026733d4699b0e255b24f45f5bbe61b48816035a
-
Filesize
550KB
MD5f07eeca9627268a67c74be8440b0fa5f
SHA1f81e51f016d7d79fbe70fbb5174a85028e9dd6a6
SHA256bb0bfa1c06172e145f97a7249b0a4679b56f395ebd536e062951fa8d50d59029
SHA5124be2cb6925d1ec217a15c11376079d993a02da9a8849b7760856b40f26fb4af56a16b7939a0ebb75849a848e026733d4699b0e255b24f45f5bbe61b48816035a
-
Filesize
278KB
MD5c8fe5c7d1269ad2be6d6fa56637e8ed4
SHA177be7457e2889634d7508ba8f874afd7cdba19d9
SHA256d5b11da6e0dc9d247582437ff9d4415862b4279136316e19ac02b6ef2d7f426d
SHA512424163c9ce373846c56b5af39bff75b4562f7dc3ed0c44d5879e4a94f6ad67caa644abe0b5add460603b53aed10720db9b04b2503830303678c0c3191c196c48
-
Filesize
278KB
MD5c8fe5c7d1269ad2be6d6fa56637e8ed4
SHA177be7457e2889634d7508ba8f874afd7cdba19d9
SHA256d5b11da6e0dc9d247582437ff9d4415862b4279136316e19ac02b6ef2d7f426d
SHA512424163c9ce373846c56b5af39bff75b4562f7dc3ed0c44d5879e4a94f6ad67caa644abe0b5add460603b53aed10720db9b04b2503830303678c0c3191c196c48
-
Filesize
361KB
MD53c419bac69dd7fb41d35ac5d91c84dfb
SHA12e31f27249232edaf7de3fc44b10aa42590f3368
SHA2569dd49e434cc1e5029dcf22372f5529c6d6da8cd2b583c05cbda4999933cd8cac
SHA51201f2276de35218f29f913a243fc7f305b16e14b3a65f203b02fa1480f96dac4ec8b264701ff22397a044669986197142d830bc0160f5adadc4441bdee0c13eb0
-
Filesize
361KB
MD53c419bac69dd7fb41d35ac5d91c84dfb
SHA12e31f27249232edaf7de3fc44b10aa42590f3368
SHA2569dd49e434cc1e5029dcf22372f5529c6d6da8cd2b583c05cbda4999933cd8cac
SHA51201f2276de35218f29f913a243fc7f305b16e14b3a65f203b02fa1480f96dac4ec8b264701ff22397a044669986197142d830bc0160f5adadc4441bdee0c13eb0