Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 23:52
Static task
static1
General
-
Target
8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe
-
Size
704KB
-
MD5
24db1958144aaef6f6d7c936dfc5d251
-
SHA1
2b822dc1caca62353158562b830bc08287b9a2b9
-
SHA256
8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06
-
SHA512
4a4cbf6100b17440a49c88c85a2e1e3f246772f1274deb1993473d7decf5e2543a8fc7ab3bc7c7b7843c56fe72c6827ac3018878f1f829b5d29a2f023edf7836
-
SSDEEP
12288:Wy90h+laVoWUK0I19vZLoQac6/758I15zCNgIzRMlt/KrUBwha4:WyUkkzR0I17LFS/HBwgItuLwhV
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr965475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr965475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr965475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr965475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr965475.exe -
Executes dropped EXE 4 IoCs
pid Process 2276 un188790.exe 2392 pr965475.exe 4876 qu879277.exe 1840 si747876.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr965475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr965475.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un188790.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un188790.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2392 pr965475.exe 2392 pr965475.exe 4876 qu879277.exe 4876 qu879277.exe 1840 si747876.exe 1840 si747876.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2392 pr965475.exe Token: SeDebugPrivilege 4876 qu879277.exe Token: SeDebugPrivilege 1840 si747876.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2276 2036 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe 66 PID 2036 wrote to memory of 2276 2036 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe 66 PID 2036 wrote to memory of 2276 2036 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe 66 PID 2276 wrote to memory of 2392 2276 un188790.exe 67 PID 2276 wrote to memory of 2392 2276 un188790.exe 67 PID 2276 wrote to memory of 2392 2276 un188790.exe 67 PID 2276 wrote to memory of 4876 2276 un188790.exe 68 PID 2276 wrote to memory of 4876 2276 un188790.exe 68 PID 2276 wrote to memory of 4876 2276 un188790.exe 68 PID 2036 wrote to memory of 1840 2036 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe 70 PID 2036 wrote to memory of 1840 2036 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe 70 PID 2036 wrote to memory of 1840 2036 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe"C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
550KB
MD53800a36c0c2a4d999037b2d3ce325ba0
SHA16c63db5220b9411cde02a9b5580be7abba9fcfce
SHA256b6f536d5314262767b10303dcd98f9b4b1f77b0581dc7ce771713b2c07d3825f
SHA512ecafe2a456171627f3b57f1b3a0b673e9a7a3b95a4cd19014c3e826a5b75aae79a75bab647c97cc677ae4ecc84fa70978abe19292bc7d9ae544eab4fd43b6e0d
-
Filesize
550KB
MD53800a36c0c2a4d999037b2d3ce325ba0
SHA16c63db5220b9411cde02a9b5580be7abba9fcfce
SHA256b6f536d5314262767b10303dcd98f9b4b1f77b0581dc7ce771713b2c07d3825f
SHA512ecafe2a456171627f3b57f1b3a0b673e9a7a3b95a4cd19014c3e826a5b75aae79a75bab647c97cc677ae4ecc84fa70978abe19292bc7d9ae544eab4fd43b6e0d
-
Filesize
278KB
MD54be8a568f93bf2995daa47cb7bf9ad5a
SHA15d00444619088871dd53c51d6b6fce214600b122
SHA25677e93cecdd070e526425fd39ff9603528dd54f19a2d1b24386fcaea3542f4af1
SHA5127d9d27f1d8ae45155bf39c2ddb2d2b170edc561b13c79e8fc066e9d73f3100aca341af8232c9fde6252e6c46c8cd2e08758b0d014839e7a560fc014fda98f61c
-
Filesize
278KB
MD54be8a568f93bf2995daa47cb7bf9ad5a
SHA15d00444619088871dd53c51d6b6fce214600b122
SHA25677e93cecdd070e526425fd39ff9603528dd54f19a2d1b24386fcaea3542f4af1
SHA5127d9d27f1d8ae45155bf39c2ddb2d2b170edc561b13c79e8fc066e9d73f3100aca341af8232c9fde6252e6c46c8cd2e08758b0d014839e7a560fc014fda98f61c
-
Filesize
361KB
MD50b1441c8e9880dceaeb09f46e8bdcc29
SHA1d34ddb646f520fca722850f2ce8142f3cc96d0be
SHA256f21b4e07e05cef7391656e70ae2411fd5f2ca34f7ab779ae5734043e642d9abf
SHA5127fd63f87ece5caf5254ba270ad9e1dcc43bc52812ebe79bb6f644da4d0b9170225b0994d31e391e6cf42d09c8bc3f4957dc8d7bae2cf294adaa134c343398d2a
-
Filesize
361KB
MD50b1441c8e9880dceaeb09f46e8bdcc29
SHA1d34ddb646f520fca722850f2ce8142f3cc96d0be
SHA256f21b4e07e05cef7391656e70ae2411fd5f2ca34f7ab779ae5734043e642d9abf
SHA5127fd63f87ece5caf5254ba270ad9e1dcc43bc52812ebe79bb6f644da4d0b9170225b0994d31e391e6cf42d09c8bc3f4957dc8d7bae2cf294adaa134c343398d2a