Analysis
-
max time kernel
60s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:55
Static task
static1
General
-
Target
68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe
-
Size
704KB
-
MD5
9a37524a95a71955a7e824f6f8b868b7
-
SHA1
dc1441fd0e0b8c8a04cb91e16cb9e5c45cbff53c
-
SHA256
68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da
-
SHA512
37e88c017e223eb2a4515651b4c9230d9f373f8dc627d2e042e315c431b3bc105bd6053ad05014768ea22e3aab095f30f5a8714144db9855acdbf0d04a75cc60
-
SSDEEP
12288:Xy90+8S0PlMqZHOxU2966rFdV0wK23GI15zClKIzJMvc/K8S6awuR/P:XyuSuRuGArFXFK23vBQKIt4IaHR/P
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr742894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr742894.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr742894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr742894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr742894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr742894.exe -
Executes dropped EXE 4 IoCs
pid Process 1256 un796873.exe 4208 pr742894.exe 4268 qu216446.exe 4768 si203860.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr742894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr742894.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un796873.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un796873.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4856 4208 WerFault.exe 85 4856 4268 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4208 pr742894.exe 4208 pr742894.exe 4268 qu216446.exe 4268 qu216446.exe 4768 si203860.exe 4768 si203860.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4208 pr742894.exe Token: SeDebugPrivilege 4268 qu216446.exe Token: SeDebugPrivilege 4768 si203860.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1280 wrote to memory of 1256 1280 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe 84 PID 1280 wrote to memory of 1256 1280 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe 84 PID 1280 wrote to memory of 1256 1280 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe 84 PID 1256 wrote to memory of 4208 1256 un796873.exe 85 PID 1256 wrote to memory of 4208 1256 un796873.exe 85 PID 1256 wrote to memory of 4208 1256 un796873.exe 85 PID 1256 wrote to memory of 4268 1256 un796873.exe 88 PID 1256 wrote to memory of 4268 1256 un796873.exe 88 PID 1256 wrote to memory of 4268 1256 un796873.exe 88 PID 1280 wrote to memory of 4768 1280 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe 91 PID 1280 wrote to memory of 4768 1280 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe 91 PID 1280 wrote to memory of 4768 1280 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe"C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 10964⤵
- Program crash
PID:4856
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 13244⤵
- Program crash
PID:4856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4208 -ip 42081⤵PID:4944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4268 -ip 42681⤵PID:3680
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
550KB
MD523c3841492808f34af61075697a52720
SHA1cd3a2168785bf5d0840f1fcf747fcb2c3bcfb48b
SHA256f9d07a65aea8fc1169b2b259fc798a05b2f516cb5fee3cb7404c33912725ff52
SHA5122f12de2882acf0f872255ad8aaa4c9b37584e474215612b0259f138a880c620c5d98678e07dd8622fa8770b195aa515e7028ffab42c3805b12f0af66e3bc7346
-
Filesize
550KB
MD523c3841492808f34af61075697a52720
SHA1cd3a2168785bf5d0840f1fcf747fcb2c3bcfb48b
SHA256f9d07a65aea8fc1169b2b259fc798a05b2f516cb5fee3cb7404c33912725ff52
SHA5122f12de2882acf0f872255ad8aaa4c9b37584e474215612b0259f138a880c620c5d98678e07dd8622fa8770b195aa515e7028ffab42c3805b12f0af66e3bc7346
-
Filesize
278KB
MD5fdda9bb2d78bdb9e39696ec3e1d62e70
SHA135fb3fb311dd672a73ec43363b8c4d1ae1e64e6f
SHA2568540456765fa1ab1bc01c7fadeb332f3ac47dcad6cd391288bb3d4eedab4511f
SHA5120e8fea018b80b160548ce92dd27d1dc463f66cfd39900e8a596fa8fc966b8f1f500942f341d3d6fcfc969f811af30c1142238b565c2fa29408f97baf23de9f75
-
Filesize
278KB
MD5fdda9bb2d78bdb9e39696ec3e1d62e70
SHA135fb3fb311dd672a73ec43363b8c4d1ae1e64e6f
SHA2568540456765fa1ab1bc01c7fadeb332f3ac47dcad6cd391288bb3d4eedab4511f
SHA5120e8fea018b80b160548ce92dd27d1dc463f66cfd39900e8a596fa8fc966b8f1f500942f341d3d6fcfc969f811af30c1142238b565c2fa29408f97baf23de9f75
-
Filesize
361KB
MD577c68fa4322227d8f24bdbd71455406a
SHA1e02819914c0df8b2d9058efcc452e23ded5cfdb6
SHA256b1f969aceade41735fed2bf30cc138b0b7ac912075300b08ef4fc4657b2beb79
SHA512a331842994d107ce8e8281353b383bd02b7ec6eb7bb3b48e1f617f13c1181a22d843a2ba77ed83a24b290914c2e924cccacecf5e7ce40a95bb13493dbf592031
-
Filesize
361KB
MD577c68fa4322227d8f24bdbd71455406a
SHA1e02819914c0df8b2d9058efcc452e23ded5cfdb6
SHA256b1f969aceade41735fed2bf30cc138b0b7ac912075300b08ef4fc4657b2beb79
SHA512a331842994d107ce8e8281353b383bd02b7ec6eb7bb3b48e1f617f13c1181a22d843a2ba77ed83a24b290914c2e924cccacecf5e7ce40a95bb13493dbf592031