Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:43
Static task
static1
General
-
Target
54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe
-
Size
703KB
-
MD5
46c5eaf4cde585dbe390c9bd701927c0
-
SHA1
fb933e9ec99d09d1ab23699a4e009a994d39e284
-
SHA256
54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177
-
SHA512
17cc201ac3d6fb4bda59483b12756e108edd47b26b2f99edf083aabe1ef42c7c7d6951def7958a7ed9b61369eccaa225a296873335edb4e3e1725527748dcdb6
-
SSDEEP
12288:qy90AGreumrVv1qK1T2E827LnHtRI1EzCxEIzzMGF/KZzMP:qyIeuudQK1T827LnH2QkEIvB/P
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr710256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr710256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr710256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr710256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr710256.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr710256.exe -
Executes dropped EXE 4 IoCs
pid Process 2124 un471591.exe 4152 pr710256.exe 3256 qu652464.exe 3592 si558184.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr710256.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr710256.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un471591.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un471591.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4460 4152 WerFault.exe 84 2904 3256 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4152 pr710256.exe 4152 pr710256.exe 3256 qu652464.exe 3256 qu652464.exe 3592 si558184.exe 3592 si558184.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4152 pr710256.exe Token: SeDebugPrivilege 3256 qu652464.exe Token: SeDebugPrivilege 3592 si558184.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1872 wrote to memory of 2124 1872 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe 83 PID 1872 wrote to memory of 2124 1872 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe 83 PID 1872 wrote to memory of 2124 1872 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe 83 PID 2124 wrote to memory of 4152 2124 un471591.exe 84 PID 2124 wrote to memory of 4152 2124 un471591.exe 84 PID 2124 wrote to memory of 4152 2124 un471591.exe 84 PID 2124 wrote to memory of 3256 2124 un471591.exe 90 PID 2124 wrote to memory of 3256 2124 un471591.exe 90 PID 2124 wrote to memory of 3256 2124 un471591.exe 90 PID 1872 wrote to memory of 3592 1872 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe 93 PID 1872 wrote to memory of 3592 1872 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe 93 PID 1872 wrote to memory of 3592 1872 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe"C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 10844⤵
- Program crash
PID:4460
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 13204⤵
- Program crash
PID:2904
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4152 -ip 41521⤵PID:4896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3256 -ip 32561⤵PID:824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
549KB
MD50e21a29d5c7408ee418d9fcd97584925
SHA17c40c2c58f2654a2967eb73bbd64775781be0831
SHA256129661b1ec5ea757822a11632de2218bb45ab9d4bd2d72eb6ec42a74c5b239b5
SHA5128e74c4cee3a682545560b8eca44c16623676f2ea4c3d261b380cb6ce8da78287fd2503b4ae773c7cda7bf3c92e98a9b9f65b7cd12f7575e96ac33c6cef5432eb
-
Filesize
549KB
MD50e21a29d5c7408ee418d9fcd97584925
SHA17c40c2c58f2654a2967eb73bbd64775781be0831
SHA256129661b1ec5ea757822a11632de2218bb45ab9d4bd2d72eb6ec42a74c5b239b5
SHA5128e74c4cee3a682545560b8eca44c16623676f2ea4c3d261b380cb6ce8da78287fd2503b4ae773c7cda7bf3c92e98a9b9f65b7cd12f7575e96ac33c6cef5432eb
-
Filesize
278KB
MD5f5fbfbfccbbacf005cf34c129effc205
SHA13878229f07d89c75d64066c0561c7d2196144e9d
SHA256c24bc9c5229b5ded0fbf35a0e9fee72a807d63d815b12ac9dd4482df462a87f3
SHA5122e8e30cab3d1d97a6f41f633aa9f991caf7ec1175afeb5caeb6a2484baaa7088a908160955c364e4629241cb8b40aa7a945dc61086cae900ac0ab3b26d4fdfee
-
Filesize
278KB
MD5f5fbfbfccbbacf005cf34c129effc205
SHA13878229f07d89c75d64066c0561c7d2196144e9d
SHA256c24bc9c5229b5ded0fbf35a0e9fee72a807d63d815b12ac9dd4482df462a87f3
SHA5122e8e30cab3d1d97a6f41f633aa9f991caf7ec1175afeb5caeb6a2484baaa7088a908160955c364e4629241cb8b40aa7a945dc61086cae900ac0ab3b26d4fdfee
-
Filesize
361KB
MD513a9c82af38ddf94bc6f2a30af71d7a4
SHA1e080b8f66e1c736ed78aae2040abcae2245282ba
SHA256aa1095d1c0aa6acabde596cb96991da56be53d8b4ed7ee22474cbedcbb140cc6
SHA512ae6685adba118d1522a8882825005b9ef989e968b8996e48339af4d421f9efe8cee7d995a243f7b1baebab25f60e22fb2f106d90228ebddb90d6b64e8a30d91c
-
Filesize
361KB
MD513a9c82af38ddf94bc6f2a30af71d7a4
SHA1e080b8f66e1c736ed78aae2040abcae2245282ba
SHA256aa1095d1c0aa6acabde596cb96991da56be53d8b4ed7ee22474cbedcbb140cc6
SHA512ae6685adba118d1522a8882825005b9ef989e968b8996e48339af4d421f9efe8cee7d995a243f7b1baebab25f60e22fb2f106d90228ebddb90d6b64e8a30d91c