Analysis
-
max time kernel
60s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:51
Static task
static1
General
-
Target
9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe
-
Size
704KB
-
MD5
840bf079aad54aef64f647f66871d572
-
SHA1
0c59bd5ea32dacbe2eff5816f081c5a15c0fb70c
-
SHA256
9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d
-
SHA512
944eb40a509313c5ca3586c5e5636cd3340289ffccf73ef22d157c6fca372c7120097e8ffd5eeeb882a99cb91f47c96dbf749a62d654790a7bbbebea3de1bdce
-
SSDEEP
12288:Ay904HrYo51T2E827CnJ+sx7ittI1HzCBKIznM1O/Kcc+e1d:AyBHrX51T827CJnx7iyTwKITqdd
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr738755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr738755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr738755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr738755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr738755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr738755.exe -
Executes dropped EXE 4 IoCs
pid Process 5028 un205020.exe 4208 pr738755.exe 4628 qu868364.exe 1500 si330234.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr738755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr738755.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un205020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un205020.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3532 4208 WerFault.exe 86 4032 4628 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4208 pr738755.exe 4208 pr738755.exe 4628 qu868364.exe 4628 qu868364.exe 1500 si330234.exe 1500 si330234.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4208 pr738755.exe Token: SeDebugPrivilege 4628 qu868364.exe Token: SeDebugPrivilege 1500 si330234.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1280 wrote to memory of 5028 1280 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe 85 PID 1280 wrote to memory of 5028 1280 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe 85 PID 1280 wrote to memory of 5028 1280 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe 85 PID 5028 wrote to memory of 4208 5028 un205020.exe 86 PID 5028 wrote to memory of 4208 5028 un205020.exe 86 PID 5028 wrote to memory of 4208 5028 un205020.exe 86 PID 5028 wrote to memory of 4628 5028 un205020.exe 92 PID 5028 wrote to memory of 4628 5028 un205020.exe 92 PID 5028 wrote to memory of 4628 5028 un205020.exe 92 PID 1280 wrote to memory of 1500 1280 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe 95 PID 1280 wrote to memory of 1500 1280 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe 95 PID 1280 wrote to memory of 1500 1280 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe"C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 10804⤵
- Program crash
PID:3532
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 13404⤵
- Program crash
PID:4032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4208 -ip 42081⤵PID:4332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4628 -ip 46281⤵PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
549KB
MD582ec6afdd501c9a3c905a8898780e346
SHA1aaff301fc96ab46ee46e83a15a3b3b272cdc942a
SHA2567e78e6c2ac3add67b6ba629bc39da526e12cd5c4425b4e66282b71636074028c
SHA5120589875ab791438dfcea223d03b287a8fc81809ed87805e1fc56a050d9380e040db6624e17e978aecb33b88b90fb54f0c89f2b7ebf3333a193297298e7c79960
-
Filesize
549KB
MD582ec6afdd501c9a3c905a8898780e346
SHA1aaff301fc96ab46ee46e83a15a3b3b272cdc942a
SHA2567e78e6c2ac3add67b6ba629bc39da526e12cd5c4425b4e66282b71636074028c
SHA5120589875ab791438dfcea223d03b287a8fc81809ed87805e1fc56a050d9380e040db6624e17e978aecb33b88b90fb54f0c89f2b7ebf3333a193297298e7c79960
-
Filesize
278KB
MD5f044fcaeb9896ee1fdb250673ffd63e6
SHA15955d1441c9160a49e37cf27f0db01490cef87b6
SHA256681980a7ad175640cdbbe69864de16b1bef0645f13e67451548d51a64540bdbe
SHA512623200c0c4e5045bfbee376a2e79c92ed988f98c6bac84be0e5799fc981272cbf4460daf8c3c3f854ff2849fb2af1b44ea4a58e7f4bf2a782e3e33ca76b87b8a
-
Filesize
278KB
MD5f044fcaeb9896ee1fdb250673ffd63e6
SHA15955d1441c9160a49e37cf27f0db01490cef87b6
SHA256681980a7ad175640cdbbe69864de16b1bef0645f13e67451548d51a64540bdbe
SHA512623200c0c4e5045bfbee376a2e79c92ed988f98c6bac84be0e5799fc981272cbf4460daf8c3c3f854ff2849fb2af1b44ea4a58e7f4bf2a782e3e33ca76b87b8a
-
Filesize
361KB
MD52c02b728f5fb060ee8a6fd76046e45cd
SHA1998885f23a9539a6c71b43255267f6ce1194819a
SHA256d00ba9249944a9e3633b03dfcc9ccf5852d0b8c47f9c25b894cdf88152ba1d9d
SHA51251de1081544044d3f6ffc97146ce2ed47c637087c8f391edcdc03ee7dd1850027cff0c3c23bd7b032c6e89bc2e8cfc8a2f8d2e1a5a3f2ff21075ad0c6226bbde
-
Filesize
361KB
MD52c02b728f5fb060ee8a6fd76046e45cd
SHA1998885f23a9539a6c71b43255267f6ce1194819a
SHA256d00ba9249944a9e3633b03dfcc9ccf5852d0b8c47f9c25b894cdf88152ba1d9d
SHA51251de1081544044d3f6ffc97146ce2ed47c637087c8f391edcdc03ee7dd1850027cff0c3c23bd7b032c6e89bc2e8cfc8a2f8d2e1a5a3f2ff21075ad0c6226bbde