Analysis
-
max time kernel
47s -
max time network
56s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 23:49
Static task
static1
General
-
Target
765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe
-
Size
563KB
-
MD5
0f008d7fbacbe521b0842ee8ffc0ea34
-
SHA1
790adb3a8aaa071e1b8af54913df6d684515d6fd
-
SHA256
765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c
-
SHA512
736cf354d363669a9c600a22014123422b78832e9a4b63cc7a3aff272df6c90a40298db3ca07fe51fda2f2f7a1249dde12f31041279278b4d0019483383121c1
-
SSDEEP
12288:oy90d8/bTYjZL/JZmNzfIlfz10eomnM1Ov2yB0q+:oyB4FTHmNyrOeoyi2/+
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it326437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it326437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it326437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it326437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it326437.exe -
Executes dropped EXE 4 IoCs
pid Process 2248 zius1826.exe 2600 it326437.exe 2648 kp013838.exe 1456 lr055601.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it326437.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zius1826.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zius1826.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2600 it326437.exe 2600 it326437.exe 2648 kp013838.exe 2648 kp013838.exe 1456 lr055601.exe 1456 lr055601.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2600 it326437.exe Token: SeDebugPrivilege 2648 kp013838.exe Token: SeDebugPrivilege 1456 lr055601.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2248 2060 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe 66 PID 2060 wrote to memory of 2248 2060 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe 66 PID 2060 wrote to memory of 2248 2060 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe 66 PID 2248 wrote to memory of 2600 2248 zius1826.exe 67 PID 2248 wrote to memory of 2600 2248 zius1826.exe 67 PID 2248 wrote to memory of 2648 2248 zius1826.exe 68 PID 2248 wrote to memory of 2648 2248 zius1826.exe 68 PID 2248 wrote to memory of 2648 2248 zius1826.exe 68 PID 2060 wrote to memory of 1456 2060 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe 70 PID 2060 wrote to memory of 1456 2060 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe 70 PID 2060 wrote to memory of 1456 2060 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe"C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
409KB
MD59624984b0c80a4817ddaf7a2fc58b294
SHA1d56745ea704ff655d9d8076ae59156a04df437a8
SHA2563c060adcfd9d8d3d51bf9775bc221871cc64547a18240d2bac20d0968c8f2a00
SHA51260b95c75b699747545415c830d17fc22ff875b29a9b76d1d8a1483d2bfbdbd61cd287d80dac03bc530c729ce5c82cd9af7c1b2481d1ac690a69dc675f5a59733
-
Filesize
409KB
MD59624984b0c80a4817ddaf7a2fc58b294
SHA1d56745ea704ff655d9d8076ae59156a04df437a8
SHA2563c060adcfd9d8d3d51bf9775bc221871cc64547a18240d2bac20d0968c8f2a00
SHA51260b95c75b699747545415c830d17fc22ff875b29a9b76d1d8a1483d2bfbdbd61cd287d80dac03bc530c729ce5c82cd9af7c1b2481d1ac690a69dc675f5a59733
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD5643e9671a5ba78ad1ae8dc24f8d7c70a
SHA1ce311b668a8b23ac7b3ed5bc44e0653fa07eb3c1
SHA256ab97a0dc3fee55085d714eda320aa89d408bae1e9bc5350dcb6f58c61d037a4f
SHA5127fa1e804f5a2856c14a6997ff3a20de70d9295ff1be2aaa6e2e9895a8b34b746b6f17ee1680e42251529e70386376ceffcfe14b338fa8ec7696bfd83a59f85e0
-
Filesize
361KB
MD5643e9671a5ba78ad1ae8dc24f8d7c70a
SHA1ce311b668a8b23ac7b3ed5bc44e0653fa07eb3c1
SHA256ab97a0dc3fee55085d714eda320aa89d408bae1e9bc5350dcb6f58c61d037a4f
SHA5127fa1e804f5a2856c14a6997ff3a20de70d9295ff1be2aaa6e2e9895a8b34b746b6f17ee1680e42251529e70386376ceffcfe14b338fa8ec7696bfd83a59f85e0