Analysis
-
max time kernel
56s -
max time network
60s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 23:46
Static task
static1
General
-
Target
cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe
-
Size
704KB
-
MD5
685364c7d17355a3c30ec6a3be765449
-
SHA1
bf5119ff6b6d484e22551e843e5f6587369cf18f
-
SHA256
cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06
-
SHA512
0f4b6af33642a8229c9b750bd64b1a2e9f50966345007e15259c80796891bf1cc1a2e6109a1ba61f25c8eed1b6c5c044d640ec96ce155b52fa37460bdec5ddc3
-
SSDEEP
12288:Ay90ai8/jbTob6cI2mNNRDqqf57tNI1uzChnIzWMqK/K0ztw:Ayd/jb06lNHuOh2WgnICJyzK
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr085756.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr085756.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr085756.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr085756.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr085756.exe -
Executes dropped EXE 4 IoCs
pid Process 2488 un964890.exe 2812 pr085756.exe 3652 qu822990.exe 2500 si053447.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr085756.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr085756.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un964890.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un964890.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2812 pr085756.exe 2812 pr085756.exe 3652 qu822990.exe 3652 qu822990.exe 2500 si053447.exe 2500 si053447.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2812 pr085756.exe Token: SeDebugPrivilege 3652 qu822990.exe Token: SeDebugPrivilege 2500 si053447.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2488 2392 cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe 66 PID 2392 wrote to memory of 2488 2392 cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe 66 PID 2392 wrote to memory of 2488 2392 cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe 66 PID 2488 wrote to memory of 2812 2488 un964890.exe 67 PID 2488 wrote to memory of 2812 2488 un964890.exe 67 PID 2488 wrote to memory of 2812 2488 un964890.exe 67 PID 2488 wrote to memory of 3652 2488 un964890.exe 68 PID 2488 wrote to memory of 3652 2488 un964890.exe 68 PID 2488 wrote to memory of 3652 2488 un964890.exe 68 PID 2392 wrote to memory of 2500 2392 cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe 70 PID 2392 wrote to memory of 2500 2392 cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe 70 PID 2392 wrote to memory of 2500 2392 cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe"C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
549KB
MD5c332b51782cb7cf1d27e6b3605b419aa
SHA1007ffecc0c769c8f7aa7c4ee761bb0037106192e
SHA25697eb4b0018aa7b9c6f8f8814b3d4f89eee13054a6ad613701e32597edbc18226
SHA512b6d7f172f70a8ee50028e1e47962fbc9a560888d67deaed7de91befd9296427f2ceaf1cb97603a2b944e097755b80cebaa4ab232fb868401907b877b8a5e46b3
-
Filesize
549KB
MD5c332b51782cb7cf1d27e6b3605b419aa
SHA1007ffecc0c769c8f7aa7c4ee761bb0037106192e
SHA25697eb4b0018aa7b9c6f8f8814b3d4f89eee13054a6ad613701e32597edbc18226
SHA512b6d7f172f70a8ee50028e1e47962fbc9a560888d67deaed7de91befd9296427f2ceaf1cb97603a2b944e097755b80cebaa4ab232fb868401907b877b8a5e46b3
-
Filesize
278KB
MD5e2e38523ee959ad508786fab77e95adf
SHA1374580d357a6c2be50383738c4b6cc8aabe8e09a
SHA256a8dd6b575680127f553c1f672ab35141ae0a27bd4f6f6880af3e5c0762718a0a
SHA51207d3829fbc9ba602d4773949bdf7fdb6dfe9e0beffde66281a25eed7d82bedce08c5b91f7dc4620acc44b53bdab4e5e2b2a1e1a5bfa8746cb4051866c139d809
-
Filesize
278KB
MD5e2e38523ee959ad508786fab77e95adf
SHA1374580d357a6c2be50383738c4b6cc8aabe8e09a
SHA256a8dd6b575680127f553c1f672ab35141ae0a27bd4f6f6880af3e5c0762718a0a
SHA51207d3829fbc9ba602d4773949bdf7fdb6dfe9e0beffde66281a25eed7d82bedce08c5b91f7dc4620acc44b53bdab4e5e2b2a1e1a5bfa8746cb4051866c139d809
-
Filesize
361KB
MD58d66a3b8048b0b447154ab28d2e7711d
SHA177b618e270091d30f213aafdd19b40ca67a46691
SHA2567cdfe6e5c611408910f6f418ef987cc38e4018398cfbf3a5e5247132b4d6c7c7
SHA512371badf163248d263a48da4c14048bc7f4b0183035500266d34ab88a29c5219973140029eadf4cd7ba915b203ba8fe9f07d62a32f60036386b477f877fc18335
-
Filesize
361KB
MD58d66a3b8048b0b447154ab28d2e7711d
SHA177b618e270091d30f213aafdd19b40ca67a46691
SHA2567cdfe6e5c611408910f6f418ef987cc38e4018398cfbf3a5e5247132b4d6c7c7
SHA512371badf163248d263a48da4c14048bc7f4b0183035500266d34ab88a29c5219973140029eadf4cd7ba915b203ba8fe9f07d62a32f60036386b477f877fc18335