Analysis
-
max time kernel
52s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 23:44
Static task
static1
General
-
Target
ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe
-
Size
704KB
-
MD5
d5f53a529d7ca25cc9d341990c85db4c
-
SHA1
e81cd47ff4424d042d8f0aee38a1b741c0350d01
-
SHA256
ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc
-
SHA512
ebd9b6eb54f3bbad15aafaa073841fe0cde4b4ba79817372474d052b867bce76cca2e1ae4b35c31494236a889710b97cb806a0ff259ab0df0fe6fd92a650b962
-
SSDEEP
12288:+y90nMBYiLeqPyzx7Z/KTXuTGktCGIDmBWS3SpI1qzCdlIzmMC3/KbnqvUr:+y0MB/yt7tcXubtrIOnlCUlI6JonHr
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr255118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr255118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr255118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr255118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr255118.exe -
Executes dropped EXE 4 IoCs
pid Process 2544 un417543.exe 2988 pr255118.exe 2628 qu994919.exe 3892 si285581.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr255118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr255118.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un417543.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un417543.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2988 pr255118.exe 2988 pr255118.exe 2628 qu994919.exe 2628 qu994919.exe 3892 si285581.exe 3892 si285581.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2988 pr255118.exe Token: SeDebugPrivilege 2628 qu994919.exe Token: SeDebugPrivilege 3892 si285581.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2544 2284 ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe 66 PID 2284 wrote to memory of 2544 2284 ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe 66 PID 2284 wrote to memory of 2544 2284 ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe 66 PID 2544 wrote to memory of 2988 2544 un417543.exe 67 PID 2544 wrote to memory of 2988 2544 un417543.exe 67 PID 2544 wrote to memory of 2988 2544 un417543.exe 67 PID 2544 wrote to memory of 2628 2544 un417543.exe 68 PID 2544 wrote to memory of 2628 2544 un417543.exe 68 PID 2544 wrote to memory of 2628 2544 un417543.exe 68 PID 2284 wrote to memory of 3892 2284 ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe 70 PID 2284 wrote to memory of 3892 2284 ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe 70 PID 2284 wrote to memory of 3892 2284 ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe"C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
550KB
MD555381a45a9f8d15d448a44a6fcede0f8
SHA1ded5a07d33b22c25350d5acb6a41a51a04a95558
SHA256d029051c4a9e3b50f4e83cdaed7f90b9d1258e9c1e39b3231ed7381008ddd44c
SHA512d95ed6f4292edde714eecc1c374509c5d793c6a8cd51e92792e84decfcef7d7a779c589658da7174d513c9cae6d79898ef4d5d204dcd11a38f54674a1d8bd0f8
-
Filesize
550KB
MD555381a45a9f8d15d448a44a6fcede0f8
SHA1ded5a07d33b22c25350d5acb6a41a51a04a95558
SHA256d029051c4a9e3b50f4e83cdaed7f90b9d1258e9c1e39b3231ed7381008ddd44c
SHA512d95ed6f4292edde714eecc1c374509c5d793c6a8cd51e92792e84decfcef7d7a779c589658da7174d513c9cae6d79898ef4d5d204dcd11a38f54674a1d8bd0f8
-
Filesize
278KB
MD5c833c4649bfda0bba8decbc9dd1498c4
SHA1087886c86f7c2073a46f8f6ff065308ba16cd1bb
SHA256ba1d1e52dc70863ceedd09b6be3bb3e4f6ef036d11fe109e550b0f7d7bbf1886
SHA512c5e6b1c39850ddba8eeaae7f0456a611788054ab02fc699c5d3fd3b76c90e21d2ff76872b1836da4c7e9b1c26cd54e88a69c166999447c4e35fbb0431be9af53
-
Filesize
278KB
MD5c833c4649bfda0bba8decbc9dd1498c4
SHA1087886c86f7c2073a46f8f6ff065308ba16cd1bb
SHA256ba1d1e52dc70863ceedd09b6be3bb3e4f6ef036d11fe109e550b0f7d7bbf1886
SHA512c5e6b1c39850ddba8eeaae7f0456a611788054ab02fc699c5d3fd3b76c90e21d2ff76872b1836da4c7e9b1c26cd54e88a69c166999447c4e35fbb0431be9af53
-
Filesize
361KB
MD5e43d400926f6323fd3f2ba7e52f94b1d
SHA14ba024e6b9dfef3a61956b37e211429276398519
SHA2565c93d8adb0027838ffc7f2b367f5070710fcbb709bd35f6880782d798425a4b1
SHA51211a9ff5ae70f1c0ad31000e66dfcef28fbdb3b423821448b9aca190bfc3c9e480d92cdcb0e1fedc6227eeac73576e080af1a274fd595f4615f2457851be38f47
-
Filesize
361KB
MD5e43d400926f6323fd3f2ba7e52f94b1d
SHA14ba024e6b9dfef3a61956b37e211429276398519
SHA2565c93d8adb0027838ffc7f2b367f5070710fcbb709bd35f6880782d798425a4b1
SHA51211a9ff5ae70f1c0ad31000e66dfcef28fbdb3b423821448b9aca190bfc3c9e480d92cdcb0e1fedc6227eeac73576e080af1a274fd595f4615f2457851be38f47