Analysis
-
max time kernel
94s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:47
Static task
static1
General
-
Target
807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe
-
Size
704KB
-
MD5
4e5c4c7e5ecc20415b9b605d56349598
-
SHA1
5ccea2f35ed29297e46e3272ec3d15c9bd179e47
-
SHA256
807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b
-
SHA512
ca0b7d84d265fe38cf34c66fb98a1d094d834f24dfde392fbd4b8e90d115fee4c435fc30472427aef9661f2ae83285b747ba182e660aebcb0c47d562cd275507
-
SSDEEP
12288:Dy90WMIqFpjWjwCNTP/nOLmt9I1fzCV3Iz/MzE/KOWFWVRYyi7aVDKe:DyzM/Fpj9CNJirM3ILc6WqRYhGH
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr899008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr899008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr899008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr899008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr899008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr899008.exe -
Executes dropped EXE 4 IoCs
pid Process 4272 un738542.exe 1268 pr899008.exe 3464 qu471212.exe 1276 si223809.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr899008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr899008.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un738542.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un738542.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 672 1268 WerFault.exe 84 628 3464 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1268 pr899008.exe 1268 pr899008.exe 3464 qu471212.exe 3464 qu471212.exe 1276 si223809.exe 1276 si223809.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1268 pr899008.exe Token: SeDebugPrivilege 3464 qu471212.exe Token: SeDebugPrivilege 1276 si223809.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4452 wrote to memory of 4272 4452 807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe 83 PID 4452 wrote to memory of 4272 4452 807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe 83 PID 4452 wrote to memory of 4272 4452 807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe 83 PID 4272 wrote to memory of 1268 4272 un738542.exe 84 PID 4272 wrote to memory of 1268 4272 un738542.exe 84 PID 4272 wrote to memory of 1268 4272 un738542.exe 84 PID 4272 wrote to memory of 3464 4272 un738542.exe 93 PID 4272 wrote to memory of 3464 4272 un738542.exe 93 PID 4272 wrote to memory of 3464 4272 un738542.exe 93 PID 4452 wrote to memory of 1276 4452 807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe 96 PID 4452 wrote to memory of 1276 4452 807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe 96 PID 4452 wrote to memory of 1276 4452 807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe"C:\Users\Admin\AppData\Local\Temp\807542b137786f75312f642ff1f048b64c478e83b97e40d83de47e9b16e1134b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un738542.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un738542.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr899008.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr899008.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 10804⤵
- Program crash
PID:672
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu471212.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu471212.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 13204⤵
- Program crash
PID:628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si223809.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si223809.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1268 -ip 12681⤵PID:1064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3464 -ip 34641⤵PID:4764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
549KB
MD5b74750e9084adc7884f7304df8b15d20
SHA1c57ae2a9e93608ee65a000cb4e0c2a2172fabc70
SHA2560ffba035cd26f30e8b71a330b0da477a6526f155b1c460688804d7cf2e0be8e9
SHA5122f4531ac20cf2e4459bd78554187c49d93056a47fb381b42f6f03c501f7cb00073a620cc6d0840e40855cb97327767716f257afba9627d22eaa8882a54bc4a76
-
Filesize
549KB
MD5b74750e9084adc7884f7304df8b15d20
SHA1c57ae2a9e93608ee65a000cb4e0c2a2172fabc70
SHA2560ffba035cd26f30e8b71a330b0da477a6526f155b1c460688804d7cf2e0be8e9
SHA5122f4531ac20cf2e4459bd78554187c49d93056a47fb381b42f6f03c501f7cb00073a620cc6d0840e40855cb97327767716f257afba9627d22eaa8882a54bc4a76
-
Filesize
278KB
MD59ef4579c9527618f89e8c8de82e28d70
SHA148c665c23a1fdb26161842052dd68db3addf72a7
SHA2565c55f1df6f762549604af43b410b5730237c351abb472ec50e2d9936d089f963
SHA512514f6d06976ffaceaf0d721c6a5a36438f5a07adbd281932b927fa7a28b5045311f1d796c8f9f8b1e3e3375e24e694e50f0c6483a76259939ef44355242bd88e
-
Filesize
278KB
MD59ef4579c9527618f89e8c8de82e28d70
SHA148c665c23a1fdb26161842052dd68db3addf72a7
SHA2565c55f1df6f762549604af43b410b5730237c351abb472ec50e2d9936d089f963
SHA512514f6d06976ffaceaf0d721c6a5a36438f5a07adbd281932b927fa7a28b5045311f1d796c8f9f8b1e3e3375e24e694e50f0c6483a76259939ef44355242bd88e
-
Filesize
361KB
MD5076f4677dd24df96aef54eeaed0da32e
SHA17f46ff64c3d2960404f9e22ea3e23731a92aa818
SHA25608422937c0c081d8eee0b4c7a47eb318219382804a1a4aa2cd1ffd3da126cad3
SHA51299f908daa0cd00dd243c147003bf42713d75f9de6ff33e211326ab1d634c4a58bf08829e4bb59601ac86009b11aaf9a03b9e3bea1df809ed32c4dcd448bacf16
-
Filesize
361KB
MD5076f4677dd24df96aef54eeaed0da32e
SHA17f46ff64c3d2960404f9e22ea3e23731a92aa818
SHA25608422937c0c081d8eee0b4c7a47eb318219382804a1a4aa2cd1ffd3da126cad3
SHA51299f908daa0cd00dd243c147003bf42713d75f9de6ff33e211326ab1d634c4a58bf08829e4bb59601ac86009b11aaf9a03b9e3bea1df809ed32c4dcd448bacf16