Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:54
Static task
static1
General
-
Target
0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe
-
Size
564KB
-
MD5
6c81cc7c6778012b4aa28a3eb5c7211a
-
SHA1
a88872f85b30f8b7da8e6500a4bd8004be093c33
-
SHA256
0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d
-
SHA512
f116c26c3d23df8c10e1df572605f656b09ca259bfa7c2b595834141a2ecdb21675aba5a3c2a9c890b53ae8aa2224d89ea9ba2bc8cc75ebf64044c15b961d622
-
SSDEEP
12288:Oy901dNVjSElpceOC8xIC7zZ0P3knM2U6Ug+lg+W:OykPSmDOCwnCP3EVUoaHW
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it039265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it039265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it039265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it039265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it039265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it039265.exe -
Executes dropped EXE 4 IoCs
pid Process 2120 zigw6999.exe 4472 it039265.exe 2976 kp386537.exe 4688 lr673288.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it039265.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zigw6999.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zigw6999.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2180 2976 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4472 it039265.exe 4472 it039265.exe 2976 kp386537.exe 2976 kp386537.exe 4688 lr673288.exe 4688 lr673288.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4472 it039265.exe Token: SeDebugPrivilege 2976 kp386537.exe Token: SeDebugPrivilege 4688 lr673288.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3684 wrote to memory of 2120 3684 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe 85 PID 3684 wrote to memory of 2120 3684 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe 85 PID 3684 wrote to memory of 2120 3684 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe 85 PID 2120 wrote to memory of 4472 2120 zigw6999.exe 86 PID 2120 wrote to memory of 4472 2120 zigw6999.exe 86 PID 2120 wrote to memory of 2976 2120 zigw6999.exe 87 PID 2120 wrote to memory of 2976 2120 zigw6999.exe 87 PID 2120 wrote to memory of 2976 2120 zigw6999.exe 87 PID 3684 wrote to memory of 4688 3684 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe 90 PID 3684 wrote to memory of 4688 3684 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe 90 PID 3684 wrote to memory of 4688 3684 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe"C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 20164⤵
- Program crash
PID:2180
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2976 -ip 29761⤵PID:3928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
409KB
MD5dc2d8fdc8d3d46783ae2657058a75791
SHA184aeb242bf58ea8cb33f7edcbfde90a9ff9c26fe
SHA2569bb8049f683d803d4aabac99b19741fdbb28b45c81bed35d666d9f2a08462b0d
SHA512182cd5bf2242255bd0a9713e571ade0b6e7264f1b3f8d2737235b998f036ad98bc544d33f0f864642b09cbc64972dd03559d1c110d19ea5cb0669367d6a1e0ed
-
Filesize
409KB
MD5dc2d8fdc8d3d46783ae2657058a75791
SHA184aeb242bf58ea8cb33f7edcbfde90a9ff9c26fe
SHA2569bb8049f683d803d4aabac99b19741fdbb28b45c81bed35d666d9f2a08462b0d
SHA512182cd5bf2242255bd0a9713e571ade0b6e7264f1b3f8d2737235b998f036ad98bc544d33f0f864642b09cbc64972dd03559d1c110d19ea5cb0669367d6a1e0ed
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD5544d3ec4153b87860a314e032fda8170
SHA15fc6d3f97fa737ab59dd054e2087bf6d7fd990b6
SHA25696fefcf961481f099453b1719e61cb0e6bccd52ec64ee49beca8883c991839b6
SHA512cbfa328567999555a34ece31b60919d766fe82697eaf8263c3ae28a69114d8cf5e33a6f91f25c59593f7cda508340b2dad12d8d7a341c1cf0bb1208f26e91631
-
Filesize
361KB
MD5544d3ec4153b87860a314e032fda8170
SHA15fc6d3f97fa737ab59dd054e2087bf6d7fd990b6
SHA25696fefcf961481f099453b1719e61cb0e6bccd52ec64ee49beca8883c991839b6
SHA512cbfa328567999555a34ece31b60919d766fe82697eaf8263c3ae28a69114d8cf5e33a6f91f25c59593f7cda508340b2dad12d8d7a341c1cf0bb1208f26e91631