Analysis
-
max time kernel
54s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 23:50
Static task
static1
General
-
Target
074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
-
Size
703KB
-
MD5
ceaf0ce3b0036d2e17a179a1eec7ddc0
-
SHA1
40367912bcfce0c977206a4070a79910e4703d31
-
SHA256
074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e
-
SHA512
ea608b1108c33702c55342c005e7b5d200eb37e961159ac6476c0278a5f9ac2ecedfefec496e72715770948d556a1d0ccf15c1dd0f38305f1886c4885043c592
-
SSDEEP
12288:Zy90+2YJFXNbwRip07UYqLTec2VKtWI1zzC9MIznMqo/KbdtdGT:ZyXBw1UpL0KZ/MMIDp7dHGT
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr315516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr315516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr315516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr315516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr315516.exe -
Executes dropped EXE 4 IoCs
pid Process 3372 un363612.exe 4168 pr315516.exe 3160 qu134620.exe 3780 si142239.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr315516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr315516.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un363612.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un363612.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4168 pr315516.exe 4168 pr315516.exe 3160 qu134620.exe 3160 qu134620.exe 3780 si142239.exe 3780 si142239.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4168 pr315516.exe Token: SeDebugPrivilege 3160 qu134620.exe Token: SeDebugPrivilege 3780 si142239.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3240 wrote to memory of 3372 3240 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe 66 PID 3240 wrote to memory of 3372 3240 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe 66 PID 3240 wrote to memory of 3372 3240 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe 66 PID 3372 wrote to memory of 4168 3372 un363612.exe 67 PID 3372 wrote to memory of 4168 3372 un363612.exe 67 PID 3372 wrote to memory of 4168 3372 un363612.exe 67 PID 3372 wrote to memory of 3160 3372 un363612.exe 68 PID 3372 wrote to memory of 3160 3372 un363612.exe 68 PID 3372 wrote to memory of 3160 3372 un363612.exe 68 PID 3240 wrote to memory of 3780 3240 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe 70 PID 3240 wrote to memory of 3780 3240 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe 70 PID 3240 wrote to memory of 3780 3240 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe"C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
549KB
MD5592280f75e4c1d6252c30fcd978b428b
SHA16590d2b253f55789079e2fcfedb2d2d0cf8ed919
SHA25635009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351
SHA512564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29
-
Filesize
549KB
MD5592280f75e4c1d6252c30fcd978b428b
SHA16590d2b253f55789079e2fcfedb2d2d0cf8ed919
SHA25635009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351
SHA512564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29
-
Filesize
278KB
MD5ea129ae4e2eec913a0abb8a1860e383d
SHA1cc11444a5348d0948ccfb353ddfc0199d4f79897
SHA256faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752
SHA51288f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a
-
Filesize
278KB
MD5ea129ae4e2eec913a0abb8a1860e383d
SHA1cc11444a5348d0948ccfb353ddfc0199d4f79897
SHA256faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752
SHA51288f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a
-
Filesize
361KB
MD5dbd9429a188264660be8c2063838216e
SHA10755dfb277703fc264026eedffa4d6ce2f211536
SHA2564fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9
SHA51260aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513
-
Filesize
361KB
MD5dbd9429a188264660be8c2063838216e
SHA10755dfb277703fc264026eedffa4d6ce2f211536
SHA2564fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9
SHA51260aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513