Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:48
Static task
static1
General
-
Target
a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe
-
Size
705KB
-
MD5
5fc8f6358841599107e76ebb999835c6
-
SHA1
e5f841720f287b9d785485622a48191ea2d629fc
-
SHA256
a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91
-
SHA512
6942e67a717b9cb97a031b29beeed74d74f1a6af0f080e2ca5ae0c3eedc11b720628a85fe7639bb3f2b8b688ac4c4e1c39328783ae170ce96aeaf806c2ef9bcc
-
SSDEEP
12288:yy90uSKVUigjVQjxS2966racVXwpwx2Ts1o2I1DzCpbIzUMs9/a22Y5yjn:yyqHDijQAraUgpUUvYbIQH3Nyjn
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr706958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr706958.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr706958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr706958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr706958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr706958.exe -
Executes dropped EXE 4 IoCs
pid Process 976 un983122.exe 4900 pr706958.exe 208 qu819586.exe 1256 si681441.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr706958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr706958.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un983122.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un983122.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1568 4900 WerFault.exe 84 5020 208 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4900 pr706958.exe 4900 pr706958.exe 208 qu819586.exe 208 qu819586.exe 1256 si681441.exe 1256 si681441.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4900 pr706958.exe Token: SeDebugPrivilege 208 qu819586.exe Token: SeDebugPrivilege 1256 si681441.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4380 wrote to memory of 976 4380 a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe 83 PID 4380 wrote to memory of 976 4380 a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe 83 PID 4380 wrote to memory of 976 4380 a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe 83 PID 976 wrote to memory of 4900 976 un983122.exe 84 PID 976 wrote to memory of 4900 976 un983122.exe 84 PID 976 wrote to memory of 4900 976 un983122.exe 84 PID 976 wrote to memory of 208 976 un983122.exe 87 PID 976 wrote to memory of 208 976 un983122.exe 87 PID 976 wrote to memory of 208 976 un983122.exe 87 PID 4380 wrote to memory of 1256 4380 a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe 90 PID 4380 wrote to memory of 1256 4380 a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe 90 PID 4380 wrote to memory of 1256 4380 a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe"C:\Users\Admin\AppData\Local\Temp\a4a5526cc16090a8affba57f45b8249f4fe56e4740516a01727ce4b726b6fd91.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un983122.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un983122.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr706958.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr706958.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 10804⤵
- Program crash
PID:1568
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu819586.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu819586.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 13324⤵
- Program crash
PID:5020
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si681441.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si681441.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4900 -ip 49001⤵PID:3868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 208 -ip 2081⤵PID:2340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
550KB
MD53be81ce88f6a9c4ffe517a5f65e39adc
SHA171875736aabc915d2c825a235bc800129b6081ac
SHA256a95819f51d8fc78d9b77a0d4f381fc88a49f880d686811170f829f320d5c2255
SHA512efc5d70d6eda0011505c79ca8c34a8cce54720eb20439043dc3d1e22423c8189338f87e97dd85894ee698cd81da9ae7ebc6da2ac63c6c42e0a910d02fe6336d4
-
Filesize
550KB
MD53be81ce88f6a9c4ffe517a5f65e39adc
SHA171875736aabc915d2c825a235bc800129b6081ac
SHA256a95819f51d8fc78d9b77a0d4f381fc88a49f880d686811170f829f320d5c2255
SHA512efc5d70d6eda0011505c79ca8c34a8cce54720eb20439043dc3d1e22423c8189338f87e97dd85894ee698cd81da9ae7ebc6da2ac63c6c42e0a910d02fe6336d4
-
Filesize
278KB
MD52f8c7d59cc0a2ec84dbf171649bc3833
SHA1b055b8ec275ce24667d880260767c8367232cbf8
SHA2567e624779da3da69eb95cba292654fd5d57da3218816de527ec941d08fffc70f1
SHA51292e27b3684ff1ae2c2d0863770612fafed6bce55438f8add2e023fb41734ebefb957d4da3fb28a4afc8d05321050df6b8be785bb1f352b8c04771b30aac1ffe7
-
Filesize
278KB
MD52f8c7d59cc0a2ec84dbf171649bc3833
SHA1b055b8ec275ce24667d880260767c8367232cbf8
SHA2567e624779da3da69eb95cba292654fd5d57da3218816de527ec941d08fffc70f1
SHA51292e27b3684ff1ae2c2d0863770612fafed6bce55438f8add2e023fb41734ebefb957d4da3fb28a4afc8d05321050df6b8be785bb1f352b8c04771b30aac1ffe7
-
Filesize
361KB
MD5dc22d1adefe7a7ef4d8c057bf205fb8c
SHA1507884738b64d92aa1c004f1fccd5805fedc8224
SHA2567ff45208fe0115f4bf5951345075d7c7b734d9acc80f69d8688d3234521f7ecc
SHA512e18f7db5dded1a73321a480924d017b1854ea7b7f464b1cb32dfeeaffa9008167f17b950b66b12790c070c87b1b156fa635a6bf8d4e2d17cb6a14f15e535626e
-
Filesize
361KB
MD5dc22d1adefe7a7ef4d8c057bf205fb8c
SHA1507884738b64d92aa1c004f1fccd5805fedc8224
SHA2567ff45208fe0115f4bf5951345075d7c7b734d9acc80f69d8688d3234521f7ecc
SHA512e18f7db5dded1a73321a480924d017b1854ea7b7f464b1cb32dfeeaffa9008167f17b950b66b12790c070c87b1b156fa635a6bf8d4e2d17cb6a14f15e535626e