Analysis
-
max time kernel
61s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:48
Static task
static1
General
-
Target
a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe
-
Size
564KB
-
MD5
2f15f98cfb33dcccf0904d412ac3f3d1
-
SHA1
576e06383b77ab6d6fba4ae5bd4290533be39c78
-
SHA256
a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097
-
SHA512
9bd554d6d91fce68d1e0387870e5a023f9fb3321b1a804017d5b2e57821299ee1124f299b2f771adbfa005745e0afb8f3f859c81caed82df521314a13721e2b9
-
SSDEEP
12288:sy90EBWvnTrYYFbANUxOgWIkaz+0/lzFMFV99SLZC:sy5BKnTrYY0Ux1ySJ/lZCj90ZC
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it246830.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it246830.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it246830.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it246830.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it246830.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it246830.exe -
Executes dropped EXE 4 IoCs
pid Process 4136 ziIk2912.exe 4736 it246830.exe 4632 kp042659.exe 4276 lr484900.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it246830.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziIk2912.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziIk2912.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4700 4632 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4736 it246830.exe 4736 it246830.exe 4632 kp042659.exe 4632 kp042659.exe 4276 lr484900.exe 4276 lr484900.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4736 it246830.exe Token: SeDebugPrivilege 4632 kp042659.exe Token: SeDebugPrivilege 4276 lr484900.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4300 wrote to memory of 4136 4300 a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe 83 PID 4300 wrote to memory of 4136 4300 a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe 83 PID 4300 wrote to memory of 4136 4300 a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe 83 PID 4136 wrote to memory of 4736 4136 ziIk2912.exe 84 PID 4136 wrote to memory of 4736 4136 ziIk2912.exe 84 PID 4136 wrote to memory of 4632 4136 ziIk2912.exe 89 PID 4136 wrote to memory of 4632 4136 ziIk2912.exe 89 PID 4136 wrote to memory of 4632 4136 ziIk2912.exe 89 PID 4300 wrote to memory of 4276 4300 a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe 95 PID 4300 wrote to memory of 4276 4300 a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe 95 PID 4300 wrote to memory of 4276 4300 a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe"C:\Users\Admin\AppData\Local\Temp\a9ccf55524ff8403a006ab4e5f0b4e3eb2334e28cd12e579bfa433c69d1be097.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIk2912.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIk2912.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it246830.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it246830.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp042659.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp042659.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 18284⤵
- Program crash
PID:4700
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr484900.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr484900.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4632 -ip 46321⤵PID:3516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
409KB
MD558475b69c69d1b9bb9d091de311605c4
SHA107a6b6018f7429e13130b9020c952368bb18dfe3
SHA25645492004f1c15f5952529d2b0353503772446e6232d20da91d8b7c54f671d7ca
SHA5121836e91170fb3cdbe693fba55969513415cfc987cb9875d554194014d61aea6fdcfe8b265ea30cf6ee884491d6f31e33a515e8de246f526bf4ee4e67c5e50876
-
Filesize
409KB
MD558475b69c69d1b9bb9d091de311605c4
SHA107a6b6018f7429e13130b9020c952368bb18dfe3
SHA25645492004f1c15f5952529d2b0353503772446e6232d20da91d8b7c54f671d7ca
SHA5121836e91170fb3cdbe693fba55969513415cfc987cb9875d554194014d61aea6fdcfe8b265ea30cf6ee884491d6f31e33a515e8de246f526bf4ee4e67c5e50876
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD57fee7913d19ca16799cc9712bff39f21
SHA1a972d7ebfc41efd33bfbe2ccb8c71fcfe7a2d125
SHA256f63afc2734822a357b3f29c58ffe137e1148dfd5089698ede15a318ddb1343e1
SHA512dd2b74792d777cb13f792c8146f1e092b8a9f03e6fa64fabf43ad0145edf83608bdf0203821a6b3cfc1f9639a28434a39cc8030b5a90c9f7ffc36d570e3e8376
-
Filesize
361KB
MD57fee7913d19ca16799cc9712bff39f21
SHA1a972d7ebfc41efd33bfbe2ccb8c71fcfe7a2d125
SHA256f63afc2734822a357b3f29c58ffe137e1148dfd5089698ede15a318ddb1343e1
SHA512dd2b74792d777cb13f792c8146f1e092b8a9f03e6fa64fabf43ad0145edf83608bdf0203821a6b3cfc1f9639a28434a39cc8030b5a90c9f7ffc36d570e3e8376