Analysis
-
max time kernel
53s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 23:44
Static task
static1
General
-
Target
87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe
-
Size
564KB
-
MD5
76a20206427b673ef62c10952aec48c8
-
SHA1
1525762cbc7db2512fcf65d61a6141dffb090c74
-
SHA256
87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381
-
SHA512
1924f5e1fc9ff335c28db4c771cab5f341c76270c9ad215b49daf4c1988d67acde0187fe66d006f4d708580f41fbe2e3a90d6a5114605ab0b6875b61d21ffe80
-
SSDEEP
12288:Jy90Y6N0uJjd4v5gohS6GIWUzJ0HlRnM/dFcDg4LzkW7a:Jy6N0a4c/ASHlVsdFcOWO
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it459475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it459475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it459475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it459475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it459475.exe -
Executes dropped EXE 4 IoCs
pid Process 3016 ziwb8250.exe 2968 it459475.exe 3916 kp300830.exe 912 lr110460.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it459475.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziwb8250.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziwb8250.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2968 it459475.exe 2968 it459475.exe 3916 kp300830.exe 3916 kp300830.exe 912 lr110460.exe 912 lr110460.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2968 it459475.exe Token: SeDebugPrivilege 3916 kp300830.exe Token: SeDebugPrivilege 912 lr110460.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2408 wrote to memory of 3016 2408 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe 66 PID 2408 wrote to memory of 3016 2408 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe 66 PID 2408 wrote to memory of 3016 2408 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe 66 PID 3016 wrote to memory of 2968 3016 ziwb8250.exe 67 PID 3016 wrote to memory of 2968 3016 ziwb8250.exe 67 PID 3016 wrote to memory of 3916 3016 ziwb8250.exe 68 PID 3016 wrote to memory of 3916 3016 ziwb8250.exe 68 PID 3016 wrote to memory of 3916 3016 ziwb8250.exe 68 PID 2408 wrote to memory of 912 2408 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe 70 PID 2408 wrote to memory of 912 2408 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe 70 PID 2408 wrote to memory of 912 2408 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe"C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
409KB
MD531c9f92e60429bd11d92d11300439bba
SHA1d2c1b1be345111a644ec94b1bef5454a97ae2684
SHA256e762672ac443cbf80253ea06bcf69a45d1a7246afa0a30ce0cf00fe360a18492
SHA512f2f7851a838a94212ade23b1d530364f7a7fc8c0fe81835d3e12a6441052131c20c2bfa9093b56608186463081fab85c6bf5e18d8732c5490174ae7b78e51d41
-
Filesize
409KB
MD531c9f92e60429bd11d92d11300439bba
SHA1d2c1b1be345111a644ec94b1bef5454a97ae2684
SHA256e762672ac443cbf80253ea06bcf69a45d1a7246afa0a30ce0cf00fe360a18492
SHA512f2f7851a838a94212ade23b1d530364f7a7fc8c0fe81835d3e12a6441052131c20c2bfa9093b56608186463081fab85c6bf5e18d8732c5490174ae7b78e51d41
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD5dabc83967b13f93f6ad7030670809fba
SHA1f22a07898a2de623acb556574685a74feb2b1ca7
SHA25629c26d9dd2fe4f6f61a8e355eac7eb15d184868f6135deca2245dde4b133ea8c
SHA51252dd684611ec29c9a73edda75ca1935e06e0ac2578f3209ecbc9ccf38b91256eee181fa11d3537f5488277c02446696f9978f03df51725546e45c175033cf15f
-
Filesize
361KB
MD5dabc83967b13f93f6ad7030670809fba
SHA1f22a07898a2de623acb556574685a74feb2b1ca7
SHA25629c26d9dd2fe4f6f61a8e355eac7eb15d184868f6135deca2245dde4b133ea8c
SHA51252dd684611ec29c9a73edda75ca1935e06e0ac2578f3209ecbc9ccf38b91256eee181fa11d3537f5488277c02446696f9978f03df51725546e45c175033cf15f