Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:54
Static task
static1
General
-
Target
a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe
-
Size
703KB
-
MD5
29f4b7d204e9635a9edea377b41ff300
-
SHA1
9298f86929bd333d28ee589a65e8eb21af09873b
-
SHA256
a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690
-
SHA512
4b1a48b5985ead5917dd878ecb8c27b1aa2d20502c0fcca5190286e068e3d6730b89d12cbebe896e492884810b0abb598857dd146cb0efeb6aeefa242f8c0817
-
SSDEEP
12288:ky90zLXacAPfwpy322kOYUCoEpbt0I1wzCOgIz+MiN/KIQ5kiNAKe+:kyq7DAHwMmloExr8/gI6F05kiNAs
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr902841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr902841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr902841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr902841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr902841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr902841.exe -
Executes dropped EXE 4 IoCs
pid Process 944 un405259.exe 2316 pr902841.exe 1764 qu660878.exe 2164 si048248.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr902841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr902841.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un405259.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un405259.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1072 2316 WerFault.exe 84 4888 1764 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2316 pr902841.exe 2316 pr902841.exe 1764 qu660878.exe 1764 qu660878.exe 2164 si048248.exe 2164 si048248.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2316 pr902841.exe Token: SeDebugPrivilege 1764 qu660878.exe Token: SeDebugPrivilege 2164 si048248.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1176 wrote to memory of 944 1176 a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe 83 PID 1176 wrote to memory of 944 1176 a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe 83 PID 1176 wrote to memory of 944 1176 a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe 83 PID 944 wrote to memory of 2316 944 un405259.exe 84 PID 944 wrote to memory of 2316 944 un405259.exe 84 PID 944 wrote to memory of 2316 944 un405259.exe 84 PID 944 wrote to memory of 1764 944 un405259.exe 90 PID 944 wrote to memory of 1764 944 un405259.exe 90 PID 944 wrote to memory of 1764 944 un405259.exe 90 PID 1176 wrote to memory of 2164 1176 a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe 93 PID 1176 wrote to memory of 2164 1176 a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe 93 PID 1176 wrote to memory of 2164 1176 a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe"C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 10804⤵
- Program crash
PID:1072
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 13284⤵
- Program crash
PID:4888
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2316 -ip 23161⤵PID:4252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1764 -ip 17641⤵PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
549KB
MD507ac68f2be3aab9bb071d7b907d39379
SHA10654f0693f18f1f129a40ec0309bd86cf744c17c
SHA25648038db3ecb15e2c93a574bb9795e616d973de200cd1e6fad04d89b1c0a227d0
SHA5128abea60cbd4c7f2457d9525eb39f13ad1e7a08d2d4ecb3d01bf622f173e00a6344add195cb6bc38c0d83ae8e52fb2ae8af4871148492cc0b0ed717adf611d407
-
Filesize
549KB
MD507ac68f2be3aab9bb071d7b907d39379
SHA10654f0693f18f1f129a40ec0309bd86cf744c17c
SHA25648038db3ecb15e2c93a574bb9795e616d973de200cd1e6fad04d89b1c0a227d0
SHA5128abea60cbd4c7f2457d9525eb39f13ad1e7a08d2d4ecb3d01bf622f173e00a6344add195cb6bc38c0d83ae8e52fb2ae8af4871148492cc0b0ed717adf611d407
-
Filesize
278KB
MD5e7f1771bf22f743bc715dde7cc81925b
SHA1cf3e7b1ce49d5a083b886dc271e340aa93c73081
SHA25619ebd4dc58e6cf02b2db94723bffc0585b751466fbf424e59b9117d1fd142d9f
SHA512c1dfe69f70ad7f1678cf3a62cf15b3ad63afcd4fdde10ecbde54dd09b97cf41115a1f2418f80c2bc746b71d5adb3c097072023ac29b2c5bcfc4b94f4445d3372
-
Filesize
278KB
MD5e7f1771bf22f743bc715dde7cc81925b
SHA1cf3e7b1ce49d5a083b886dc271e340aa93c73081
SHA25619ebd4dc58e6cf02b2db94723bffc0585b751466fbf424e59b9117d1fd142d9f
SHA512c1dfe69f70ad7f1678cf3a62cf15b3ad63afcd4fdde10ecbde54dd09b97cf41115a1f2418f80c2bc746b71d5adb3c097072023ac29b2c5bcfc4b94f4445d3372
-
Filesize
361KB
MD546a77d714dde37888f67478de5da8c39
SHA19703e7463650722f0480fd4f325166fb87084288
SHA256cdb24c6234bfe795c753638e1daaf619550a8b80dbb791a9876cddfb84ac5dfb
SHA512d4d4c84d1bfdf57a8c0aa95c3936f62e4cc631fef6efc5695ccbf3e1e838a3aff7fb0f18e247ba87f158d8235d0b74004b48d540b70b62e5a35a16497bd1768f
-
Filesize
361KB
MD546a77d714dde37888f67478de5da8c39
SHA19703e7463650722f0480fd4f325166fb87084288
SHA256cdb24c6234bfe795c753638e1daaf619550a8b80dbb791a9876cddfb84ac5dfb
SHA512d4d4c84d1bfdf57a8c0aa95c3936f62e4cc631fef6efc5695ccbf3e1e838a3aff7fb0f18e247ba87f158d8235d0b74004b48d540b70b62e5a35a16497bd1768f